ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your operations team must detect any unauthorized changes to Amazon EC2 security groups within seconds, retain the full audit trail for at least one year, and guarantee that the records cannot be altered after capture. Which solution uses native AWS services to meet all requirements with minimal operational overhead?
Deploy AWS Config with a managed rule that checks security-group changes and export evaluation results to an S3 bucket using lifecycle policies for 365-day retention.
Create a multi-Region CloudTrail trail that logs to an S3 bucket with Object Lock in compliance mode and configure an EventBridge rule that triggers an SNS notification on security-group modification events.
Enable CloudWatch detailed monitoring on all EC2 instances and stream metrics to a centralized CloudWatch Logs group with a 400-day retention period.
Enable VPC Flow Logs for all VPCs, send them to CloudWatch Logs, and create metric filters that publish to SNS when unusual traffic patterns are detected.
AWS CloudTrail records every API call that creates, updates, or deletes security-group rules. Configuring a multi-Region trail to deliver logs to an Amazon S3 bucket protected by Object Lock in compliance mode keeps those log files immutable for the required one-year retention period. By integrating CloudTrail with Amazon EventBridge, management events such as AuthorizeSecurityGroupIngress and RevokeSecurityGroupIngress are delivered to the event bus within seconds, where an EventBridge rule can invoke Amazon SNS (or another target) for immediate alerting. In contrast, VPC Flow Logs only capture network-traffic metadata, not configuration changes; AWS Config can detect drift but evaluations are periodic and its data is not stored with a write-once-read-many control by default; and CloudWatch instance metrics monitor performance, not security-group API activity. Therefore, the combination of CloudTrail, S3 Object Lock, and EventBridge with SNS best satisfies the detection speed, retention, and immutability requirements while relying solely on managed AWS services.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Amazon EC2 security group?
Open an interactive chat with Bash
How does Amazon S3 Object Lock in compliance mode ensure immutability?
Open an interactive chat with Bash
What is the purpose of integrating AWS CloudTrail with Amazon EventBridge?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Risk Identification, Monitoring and Analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .