Log Analysis PBQs: AWS Certified CloudOps Engineer – Associate (SOA-C03)
easyQuestion 1 of 3
You are a CloudOps engineer who received a Slack notification from AWS Config indicating a compliance rule violation in your production account. The alert fired approximately 10 minutes ago and references a security group change. Your team lead has asked you to review the recent CloudTrail and AWS Config events in the SIEM dashboard to determine what changed, confirm the violation, and recommend a remediation. Flag all entries related to the security group misconfiguration and answer the incident questions.
Objectives
- •Review the CloudTrail and AWS Config events for the recent compliance violation
- •Flag all log entries related to the security group misconfiguration
- •Classify the type of security incident
- •Identify the affected security group
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 16:00:00 | INFO | cloudtrail | DescribeInstances called by role:ops-automation-role from 10.0.1.20 | |
| 16:02:00 | INFO | cloudtrail | DescribeAlarms called by role:monitoring-role from 10.0.2.5 | |
| 16:05:30 | WARN | cloudtrail | AuthorizeSecurityGroupIngress called by user:ops-twright -- sg-0abc1234def56789 added rule: TCP port 22 from 0.0.0.0/0 | |
| 16:06:00 | ALERT | cloudtrail | AWS Config rule restricted-ssh evaluated NON_COMPLIANT for security group sg-0abc1234def56789 | |
| 16:06:15 | INFO | cloudtrail | PutEvaluations called by role:config-recorder-role -- 1 evaluation submitted | |
| 16:07:00 | INFO | cloudtrail | DescribeSecurityGroups called by role:config-recorder-role for sg-0abc1234def56789 | |
| 16:08:00 | WARN | guardduty | Recon:EC2/PortProbeUnprotectedPort -- port 22 on instance i-0fedcba987654321 probed from 203.0.113.50 | |
| 16:10:00 | INFO | cloudtrail | PutMetricAlarm called by role:monitoring-role -- alarm:DiskSpaceUtilization updated | |
| 16:12:00 | INFO | cloudtrail | DescribeAutoScalingGroups called by role:ops-automation-role from 10.0.1.20 | |
| 16:13:30 | INFO | cloudtrail | ListBuckets called by user:ops-twright from 10.0.4.8 | |
| 16:15:00 | INFO | cloudtrail | GetBucketPolicy called by role:config-recorder-role on bucket:config-compliance-logs | |
| 16:16:00 | INFO | cloudtrail | DescribeVolumes called by role:monitoring-role from 10.0.2.5 |
12 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 6 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete