Exam Cram Sheet872 words
Exam Cram: Troubleshooting AWS Security Monitoring & Logging
Troubleshoot security monitoring, logging, and alerting solutions
Exam Cram: Troubleshooting AWS Security Monitoring & Logging
This sheet focuses on Domain 1.3 of the SCS-C03 exam: Troubleshoot security monitoring, logging, and alerting solutions. It targets the common failure points in log ingestion, metric aggregation, and alert delivery.
Topic Weighting
| Domain | Task | Exam Weight |
|---|---|---|
| Domain 1: Detection | 1.3: Troubleshooting | ~8-10% of total exam |
[!IMPORTANT] Detection (Domain 1) as a whole represents 20% of the exam. Troubleshooting is a core pillar that often combines identity (IAM) and infrastructure (VPC/S3) knowledge.
Key Concepts Summary
1. The "Broken Link" Framework
Most troubleshooting questions follow a standard path. Check in this order:
- Permissions: Does the service (e.g., EC2, CloudTrail) have an IAM Role/Policy to write to the destination (S3, CloudWatch)?
- Resource Policies: Does the destination (S3 Bucket, KMS Key, SNS Topic) allow the source to access it?
- Network/Connectivity: If using the CloudWatch Agent, can the EC2 instance reach the public endpoint or VPC Endpoint?
- Service Limits: Is the log group at its throughput limit or is the account being throttled?
2. Service-Specific Troubleshooting
- CloudTrail: Ensure the S3 bucket policy allows
cloudtrail.amazonaws.comtos3:PutObject. If logs are encrypted, the KMS key policy must also allow CloudTrail access. - VPC Flow Logs: Requires an IAM role with a trust relationship for
vpc-flow-logs.amazonaws.com. - CloudWatch Agent: Often fails due to missing
CloudWatchAgentServerPolicyon the IAM Instance Profile or incorrectconfig.jsonsyntax. - GuardDuty: If findings aren't appearing, verify that the relevant data sources (CloudTrail, VPC Flow Logs, DNS Logs) are active in that region.
Common Pitfalls
- The "Global Service" Myth: CloudTrail is global, but CloudWatch Logs are Regional. If you don't see logs, check if you are in the correct AWS Region.
- KMS Key Bottlenecks: High-volume logs encrypted with a Customer Managed Key (CMK) can hit KMS Request Rate limits. Use AWS Managed Keys if hitting limits.
- Missing Trust Relationships: Creating an IAM policy is not enough; the service itself (e.g.,
lambda.amazonaws.com) must be trusted by the role to assume it. - SNS Subscription Confirmation: If alerts "fire" but aren't received, check if the email/SMS endpoint has confirmed the subscription.
Mnemonics / Memory Triggers
- P.I.C. (Permissions, Interface, Configuration): The holy trinity of troubleshooting. Check Permissions (IAM), Interface (Network/VPC Endpoints), and Configuration (Service settings).
- "S3 Policy, Not Me!": When CloudTrail or Config can't write to S3, the problem is almost always the Bucket Policy, not the user's IAM policy.
Formula / Equation Sheet
Troubleshooting Decision Matrix
| Problem | Likely Root Cause | Action |
|---|---|---|
| Logs not appearing in S3 | Destination Bucket Policy | Add s3:PutObject for the service principal. |
| CloudWatch Agent fails to start | IAM Instance Profile | Attach CloudWatchAgentServerPolicy. |
| SNS Alert not received | Subscription State | Verify the subscription status is Confirmed. |
| No VPC Flow Logs in CW | Trust Relationship | Check if vpc-flow-logs.amazonaws.com can AssumeRole. |
| Encrypted logs unreadable | KMS Key Policy | Ensure the reader has kms:Decrypt permissions. |
Visual Anchors
Troubleshooting Flowchart
Loading Diagram...
Log Ingestion Path
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Worked Examples
Example 1: The Invisible CloudTrail
Scenario: A Security Engineer enables a new trail but notices no logs are arriving in the centralized S3 bucket.
- Diagnosis: The S3 bucket is in Account A, while the trail is in Account B.
- Solution: Update the S3 Bucket Policy in Account A to allow
cloudtrail.amazonaws.comfrom Account B. - Code Fix:
json
{
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::central-logs-bucket/AWSLogs/AccountB_ID/*"
}Example 2: Lambda Logging Failure
Scenario: A Lambda function is executing, but no Log Group is created in CloudWatch Logs.
- Diagnosis: The Lambda execution role lacks the permission to create log groups and streams.
- Solution: Ensure the role has
logs:CreateLogGroup,logs:CreateLogStream, andlogs:PutLogEventspermissions.
Practice Set
- A company is using the CloudWatch Agent to collect memory metrics. The agent logs show
AccessDeniederrors when attempting to publish metrics. What is the most likely cause? - A GuardDuty finding indicates a "CryptoCurrency" attack, but the engineer cannot see the underlying VPC Flow Logs for that instance in CloudWatch. Where should they check first?
- True or False: CloudTrail logs are automatically encrypted with an AWS Managed Key, so KMS key policies are never a troubleshooting factor unless a CMK is used.
- You have an SNS topic with an SQS queue as a subscriber. The topic is receiving messages, but the queue is empty. What resource policy needs checking?
- How do you verify if a VPC Flow Log is failing due to a missing trust relationship?
Fact Recall Blanks
- To troubleshoot CloudWatch Agent connectivity issues in a private subnet, you should ensure a ____________ is configured.
- The IAM action required to upload logs to a CloudWatch Log Stream is ____________.
- For CloudTrail to send logs to an S3 bucket, the ____________ policy must grant access.
- AWS Config uses a ____________ to record and deliver configuration changes.
- If a CloudWatch Alarm stays in the ____________ state, it means it is not receiving sufficient data points.
▶Click to reveal answers
- VPC Endpoint (Interface Endpoint)
- logs:PutLogEvents
- S3 Bucket Policy
- Configuration Recorder / Delivery Channel
- INSUFFICIENT_DATA