ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A payment-processing workload is being migrated to AWS. PCI DSS requires the organization to be able to reconstruct full network sessions and to retain all related audit evidence for at least 12 months in a tamper-evident repository. The security team also wants to avoid introducing additional CPU or disk overhead on production EC2 instances. Which design change best satisfies these requirements?
Forward all syslog messages to a bastion host and store them on a local file system with permissions set to read-only for administrators.
Install tcpdump agents on every EC2 instance and schedule uploads of rotated capture files to an S3 bucket that has versioning disabled.
Mirror all VPC traffic to a dedicated capture appliance in a separate security VPC and store the resulting pcap files in an Amazon S3 bucket with Object Lock enabled.
Enable CloudTrail data events for VPC and export the logs to CloudWatch Logs, then archive them in an encrypted DynamoDB table.
VPC Traffic Mirroring copies packets at the hypervisor layer, so production EC2 instances are not burdened with capture or transfer tasks. Mirrored traffic can be sent to an out-of-band sensor or collector located in a separate security VPC. When that collector writes the resulting pcap files to an Amazon S3 bucket with Object Lock enabled in compliance mode, each object becomes write-once-read-many (WORM) and cannot be altered or deleted for the retention period, delivering the tamper-evident storage mandated by PCI DSS.
The agent-based tcpdump option adds processing and storage overhead to every instance and relies on administrators to manage file integrity, making tampering easier. CloudTrail data events provide API-level logs, not full packet captures, so they cannot recreate network sessions. Simply forwarding syslog files to a bastion host and restricting file permissions does not provide true WORM protection and still lacks packet-level visibility.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Traffic Mirroring?
Open an interactive chat with Bash
What is Object Lock in Amazon S3?
Open an interactive chat with Bash
Why is the agent-based tcpdump option less secure?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Platform & Infrastructure Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .