Practice Test

True/False: Amazon CloudWatch can be used to log all API activities within an AWS account.

  • True

Answer: True

Explanation: Amazon CloudWatch keeps track of all the API activities within an AWS account, which can be very beneficial for logging and maintaining AWS data.

Which of the following services can be used to log access to AWS services?

  • A) AWS CloudTrail
  • B) Amazon EC2
  • C) AWS CodePipeline
  • D) AWS S3

Answer: A) AWS CloudTrail

Explanation: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account by logging all the actions across your AWS infrastructure.

Single Select: Which among the following is a benefit of activated logging in Amazon S3?

  • A) Enhanced performance
  • B) Increased storage
  • C) Server-side latency measurement
  • D) Security and access control

Answer: D) Security and access control

Explanation: Activated logging within Amazon S3 will provide visibility into object-level operations, contributing to an enhanced security posture and more rigorous access control.

True/False: AWS CloudTrail logs cannot be delivered to an Amazon S3 bucket.

  • False

Answer: False

Explanation: AWS CloudTrail logs can be delivered to an Amazon S3 bucket. This is useful for storing and analyzing historical data.

Multiple Select: Which of the following pieces of information are included in CloudTrail logs?

  • A) The identity of the API caller
  • B) The time of the API call
  • C) The requested items in the API call
  • D) The cost of the API call

Answer: A) The identity of the API caller, B) The time of the API call, C) The requested items in the API call

Explanation: AWS CloudTrail logs include the identity of the API caller, the time of the call, the source IP address of the caller, the request parameters, and the response elements returned by the AWS service.

True/False: All activities in AWS Key Management Service (KMS) are logged by default.

  • False

Answer: False

Explanation: Not all activities in AWS KMS are logged by default. You must explicitly enable AWS CloudTrail for logging.

Single Select: Which AWS service would be the best to use for long-term retention of CloudTrail logs for future audits?

  • A) Amazon Glacier
  • B) Amazon EC2
  • C) Amazon Lambda
  • D) Amazon Redshift

Answer: A) Amazon Glacier

Explanation: Amazon Glacier is an archival service and would be a cost-effective choice for long-term retention of CloudTrail logs.

Which of the following is NOT a method for controlling access to CloudTrail Log Files in AWS?

  • A) AWS KMS
  • B) IAM Policies
  • C) S3 Bucket Policies
  • D) Amazon EC2 Security Groups

Answer: D) Amazon EC2 Security Groups

Explanation: Amazon EC2 Security Groups manage access at the instance level, not the file or service level.

True/False: You cannot monitor the creation and deletion of Stream Analytics jobs using AWS CloudTrail.

  • False

Answer: False

Explanation: AWS CloudTrail captures all API calls for Stream Analytics as events, including the calls from the Stream Analytics console and code calls to the Stream Analytics API operations.

Multiple Select: Which AWS services allow for data export for further analysis? (Select all that apply)

  • A) AWS CloudTrail
  • B) Amazon Athena
  • C) Amazon QuickSight
  • D) AWS Well-Architected Tool

Answer: A) AWS CloudTrail, B) Amazon Athena, C) Amazon QuickSight

Explanation: AWS CloudTrail, Athena and QuickSight all allow you to export data for further analysis. AWS Well-Architected Tool, however, is used to evaluate the state of your workloads and compare them to the latest AWS architectural best practices.

Interview Questions

Which AWS service would you primarily use to record accesses to AWS services within an account?

The primary service to record accesses to AWS services is AWS CloudTrail.

Can AWS CloudTrail record API calls made by AWS Management Console, SDKs, command line tools, and other AWS services?

Yes, AWS CloudTrail records all API calls, including those made from the AWS Management Console, SDKs, command line tools, and AWS services.

Where does AWS CloudTrail deliver the log files?

AWS CloudTrail delivers the log files to an Amazon S3 bucket specified by the user during the setup.

Can AWS CloudTrail be configured to send notifications upon log file delivery?

Yes, AWS CloudTrail can be configured to send SNS notifications upon each new log file delivery.

Do all AWS services support logging with AWS CloudTrail?

Most AWS services support logging with AWS CloudTrail. However, there might be a few services that do not support AWS CloudTrail yet. It’s always best to check the official documentation.

Do AWS IAM policies affect the visibility of AWS CloudTrail logs?

Yes, AWS IAM policies can restrict access to CloudTrail logs by allowing or denying permissions.

Can you encrypt CloudTrail log files at rest and in transit?

Yes, CloudTrail log files can be encrypted using AWS Key Management Service (KMS) keys for at rest and SSL/TLS for in transit.

Is it possible to create a trail that applies to all AWS regions?

Yes, AWS CloudTrail allows creating a trail that applies to all AWS regions.

How long does AWS CloudTrail retain the event history?

AWS CloudTrail retains the event history for 90 days.

Can I automate responses to specific AWS CloudTrail log events?

Yes, you can automate responses by setting up AWS Lambda functions to respond to specific AWS CloudTrail events.

Is it possible to integrate AWS CloudTrail with third-party applications for log analysis?

Yes, AWS CloudTrail integrates with various third-party applications like Splunk, Sumo Logic for log analysis and visualisation.

Can AWS CloudTrail be used for compliance reporting?

Yes, AWS CloudTrail logs can be used for compliance reporting because the service provides a history of AWS API calls for an account.

Can you track changes to AWS resources with AWS CloudTrail?

Yes, AWS CloudTrail allows you to track changes to AWS resources by monitoring the API calls.

Can you integrate AWS CloudTrail with Amazon CloudWatch Logs?

Yes, you can integrate AWS CloudTrail with Amazon CloudWatch Logs to monitor logs and set alarms.

Is AWS CloudTrail activated by default on AWS accounts?

Yes, AWS CloudTrail is activated by default as it provides an event history of your AWS account’s activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services.

Leave a Reply

Your email address will not be published. Required fields are marked *