SOA-C02 Reviews Questions

To supply documentation of Payment Card Industry Data Security Standard (PCI DSS) compliance for the infrastructure managed by AWS, the SysOps administrator should download the applicable reports from the AWS Artifact portal.

AWS Artifact:

AWS Artifact is a service that provides on-demand access to AWS’ security and compliance reports and select online agreements.

It includes compliance reports for standards such as PCI DSS, SOC, ISO, and more.

Steps to Access Reports:

Open the AWS Management Console.

Navigate to the AWS Artifact console.

Browse and download the PCI DSS compliance report.

Providing Documentation:

Download the relevant PCI DSS reports and provide them to the auditors as required.

AWS Artifact

PCI DSS Compliance

To secure the S3 bucket and allow access only from CloudFront, the following steps should be taken:

Create an OAI in CloudFront:

In the CloudFront console, create an origin access identity (OAI) and associate it with your CloudFront distribution.

 Enable Access Logging for the ALB:

Access logging provides detailed information about requests sent to your load balancer.

Steps:

Go to the AWS Management Console.

Navigate to EC2 and select "Load Balancers."

Select your Application Load Balancer.

Under the "Attributes" tab, enable "Access logs."

Specify an S3 bucket where the logs will be saved.

Enable Access Logs for Your Load Balancer

 Use Amazon Athena to Query the ALB Logs:

Athena allows you to run SQL queries on data stored in S3.

Steps:

Go to the AWS Management Console.

Navigate to Athena.

Create a table for the ALB logs using the appropriate schema.

Run queries to calculate the total bytes sent and received, grouped by the target

field.

Example query:

SELECT target, SUM(received_bytes) as total_received, SUM(sent_bytes) as total_sent

FROM alb_logs

GROUP BY target, port

AWS Config is the best service to automatically manage and remediate S3 bucket permissions that violate corporate policies against public access. AWS Config continuously monitors and records AWS resource configurations and allows you to create rules that trigger automatic responses when public access configurations are detected. This approach is highly operationally efficient as it automates compliance and enforcement of security policies without manual intervention. Option A is correct. AWS Config can be used to assess, audit, and evaluate the configurations of AWS resources, including S3 buckets. Reference AWS Config.