Fulfilling PCI Compliance and Monitoring Requirements with AWS
Question
You are responsible for deploying a critical application to AWS.
It is required to ensure that the controls set for this application meet PCI compliance.
Also, there is a need to monitor web application logs to identify any malicious activity.
Which of the following services could be used to fulfill this requirement? (Select TWO)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answers - A and D.
AWS Documentation mentions the following about these services:
Option A is correct as Amazon CloudWatch Logs is used to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Amazon Route 53, and other sources.
You can then retrieve the associated log data from CloudWatch Logs.
https://aws.amazon.com/compliance/services-in-scope/Option B is incorrect because AWS Personal Health Dashboard provides alerts and guidance for AWS events that might affect your environment.
It will not help to monitor the web application.
https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/Option C is incorrect because AWS Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices.
It is not required as per the requirement.
The question asks for monitoring services, not logging or some visualizing service.
Option D is correct as AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
https://aws.amazon.com/cloudtrail/References:
https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/ https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/To fulfill the requirement of deploying a critical application to AWS and ensure PCI compliance and monitoring of web application logs for identifying malicious activity, the following services can be used:
A. Amazon CloudWatch Logs: Amazon CloudWatch Logs is a service that helps to monitor, store, and access log files from Amazon EC2 instances, AWS CloudTrail, and other AWS services. It can be used to collect logs from the critical application and store them centrally in CloudWatch Logs. CloudWatch Logs can be configured to detect specific log events and trigger alerts for any abnormal activity. It also provides real-time analysis and visualization of log data to identify trends and troubleshoot issues. To meet the PCI compliance requirements, it is essential to ensure that CloudWatch Logs are encrypted during transit and at rest.
D. Amazon CloudTrail: Amazon CloudTrail is a service that logs API calls made within the AWS infrastructure. It provides a detailed record of events related to account activity and resource usage. CloudTrail can be used to track user activity and API usage within the critical application environment. It can also help to identify any unauthorized access or changes to resources. CloudTrail provides an audit trail that can be used to demonstrate compliance with PCI requirements. To ensure PCI compliance, it is essential to ensure that CloudTrail logs are encrypted during transit and at rest.
Therefore, A (Amazon CloudWatch Logs) and D (Amazon CloudTrail) are the correct answers. AWS Personal Health Dashboard and Amazon Trusted Advisor do not provide log management or monitoring capabilities and are not relevant to fulfilling the given requirement.
