Learn how to implement a customized notification solution using native AWS services to detect and alert designated system administrators of repeated unauthorized authentication attempts to bastion hosts.
Table of Contents
Question
A company is implementing a customized notification solution to detect repeated unauthorized authentication attempts to bastion hosts. The company’s security engineer needs to implement a solution that will provide notification when 5 failed attempts occur within a 5-minute period. The solution must use native AWS services and must notify only the designated system administrator who is assigned to the specific bastion host.
Which solution will meet these requirements?
A. Use the Amazon CloudWatch agent to collect operating system logs. Use Amazon EventBridge to configure an alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use Amazon EC2 instance tags to determine which SNS topics receive notifications.
B. Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon EventBridge event based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.
C. Use the Amazon CloudWatch agent to collect operating system logs. Create a CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Servige (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.
D. Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use EC2 instance tags to determine which SNS topics receive notifications.
Answer
A. Use the Amazon CloudWatch agent to collect operating system logs. Use Amazon EventBridge to configure an alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use Amazon EC2 instance tags to determine which SNS topics receive notifications.
Explanation
- Amazon CloudWatch agent: Install the CloudWatch agent on the bastion hosts to collect operating system logs. This agent will monitor and send the logs to CloudWatch Logs for further processing.
- Metric filter: Create a metric filter in CloudWatch Logs to parse the collected logs and identify failed login attempts. The filter will increment a custom metric whenever a failed attempt is detected.
- Amazon EventBridge: Set up an EventBridge rule to monitor the custom metric created by the metric filter. Configure the rule to trigger when the number of failed attempts reaches 5 within a 5-minute period.
- Amazon Simple Notification Service (SNS): Create an SNS topic for each designated system administrator responsible for specific bastion hosts. The EventBridge rule will send an alert to the appropriate SNS topic when the defined threshold is exceeded.
- Amazon EC2 instance tags: Use tags on the bastion host EC2 instances to specify which SNS topic should receive notifications for each host. This allows for granular control over which system administrator is alerted for specific bastion hosts.
By using CloudWatch Logs, metric filters, EventBridge, SNS, and EC2 instance tags, this solution provides a customized and automated approach to detect and notify the appropriate system administrator of repeated unauthorized authentication attempts to bastion hosts. The combination of these native AWS services ensures a scalable, efficient, and targeted notification system.
Amazon AWS Certified Security – Specialty SCS-C02 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty SCS-C02 exam and earn Amazon AWS Certified Security – Specialty SCS-C02 certification.