MCQs Questions on AWS CloudTrail Understanding Event Data

Explore these AWS CloudTrail MCQ questions and answers to enhance your understanding of topics such as anatomy of CloudTrail logs, event categories and sources, and filtering and querying logs. These questions are designed to help you grasp key concepts and improve your AWS CloudTrail expertise effectively.

Chapter 3: Understanding Event Data

1–10: Anatomy of CloudTrail Logs

1. What information is included in the eventName field of a CloudTrail log?
   a) Name of the AWS service
   b) Specific action performed
   c) Region of the event
   d) The IP address of the user
2. Which field in a CloudTrail log specifies the identity performing the action?
   a) eventSource
   b) userIdentity
   c) requestParameters
   d) awsRegion
3. What type of information is contained in the requestParameters section of a CloudTrail event?
   a) Identity of the user
   b) Parameters passed to the API request
   c) List of AWS services accessed
   d) The timestamp of the event
4. Which field indicates the AWS service generating the event in a CloudTrail log?
   a) eventSource
   b) eventName
   c) recipientAccountId
   d) eventTime
5. How is the time of an event recorded in a CloudTrail log?
   a) In local timezone format
   b) As a Unix timestamp
   c) In Coordinated Universal Time (UTC)
   d) Using the AWS regional timestamp
6. What is the purpose of the responseElements field in a CloudTrail event log?
   a) To capture the response details of the API call
   b) To log the IAM role used in the request
   c) To store information about errors
   d) To track user actions
7. What does the sourceIPAddress field represent in CloudTrail logs?
   a) IP address of the AWS resource
   b) IP address of the entity that made the request
   c) IP address of the AWS region
   d) IP address of the S3 bucket
8. What type of information is stored in the errorCode field?
   a) IAM role information
   b) API request parameters
   c) The region where the event occurred
   d) Error encountered during the API call
9. Which field records the AWS account ID that owns the resource?
   a) awsRegion
   b) eventName
   c) recipientAccountId
   d) eventSource
10. What is the significance of the eventVersion field in CloudTrail logs?
    a) It shows the version of the CloudTrail service used
    b) It specifies the version of the event log schema
    c) It tracks the version of the AWS CLI
    d) It indicates the event replication status

11–18: Event Categories and Sources

11. Which event category in CloudTrail includes AWS Management Console logins?
    a) Data events
    b) Insight events
    c) Management events
    d) Audit events
12. What is a data event in CloudTrail?
    a) An event related to changes in account configuration
    b) An event capturing activity on AWS resources like S3 objects
    c) An event for API calls through the AWS Management Console
    d) An event recording login attempts
13. What type of actions are included in management events?
    a) Actions on S3 objects
    b) EC2 instance data transfers
    c) Configuration and control plane actions
    d) Application-level events
14. What event source is associated with AWS Identity and Access Management (IAM)?
    a) s3.amazonaws.com
    b) iam.amazonaws.com
    c) ec2.amazonaws.com
    d) dynamodb.amazonaws.com
15. Which category of events provides insights into unusual activity detected in your account?
    a) Management events
    b) Data events
    c) Insight events
    d) Operational events
16. How can you distinguish between read-only and write-only events in CloudTrail logs?
    a) Using the eventSource field
    b) Checking the eventName field
    c) Inspecting the readOnly attribute
    d) Reviewing the eventTime field
17. Which service generates events when users upload files to an S3 bucket?
    a) AWS Lambda
    b) Amazon S3
    c) AWS Config
    d) Amazon EC2
18. How can you track AWS Lambda function executions in CloudTrail?
    a) Enable Lambda execution logging
    b) Track management events from lambda.amazonaws.com
    c) Enable resource-based policies
    d) Use AWS Trusted Advisor

19–25: Filtering and Querying Logs

19. What tool can be used to query CloudTrail logs using SQL-like queries?
    a) AWS Glue
    b) Amazon Athena
    c) Amazon QuickSight
    d) AWS Config
20. How can you filter events by a specific resource in CloudTrail?
    a) Using event names
    b) Using the resource ID or name in the resources field
    c) Filtering the eventSource field
    d) Using tags assigned to the resource
21. Which AWS service enables real-time monitoring and filtering of CloudTrail logs?
    a) Amazon GuardDuty
    b) Amazon CloudWatch Logs Insights
    c) AWS Trusted Advisor
    d) AWS Secrets Manager
22. What is the purpose of an event selector in CloudTrail?
    a) To track errors in AWS accounts
    b) To customize which events are logged
    c) To enable log replication across regions
    d) To filter logs stored in S3 buckets
23. How can CloudTrail logs be filtered for a specific user action?
    a) By checking the eventName field
    b) Using the eventVersion field
    c) Filtering the awsRegion field
    d) Checking the eventSource field
24. Which service can automatically analyze and flag suspicious activity in CloudTrail logs?
    a) Amazon Macie
    b) Amazon Inspector
    c) AWS Config
    d) Amazon GuardDuty
25. What is the recommended way to store and query large amounts of CloudTrail logs?
    a) Use Amazon S3 with lifecycle policies
    b) Store logs in DynamoDB tables
    c) Use Amazon CloudFront for caching
    d) Transfer logs to RDS for querying

Answer Key