AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 362

A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy.
What is the MOST cost-effective solution to meet these requirements?

Answer options

• A. Move the EC2 instances to a dedicated VPC. Enable VPC Flow Logs with a filter on the deny action. Publish the flow logs to Amazon CloudWatch Logs.
• B. Move the EC2 instances to a dedicated VPC subnet. Enable VPC Flow Logs for the subnet with a filter on the reject action. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.
• C. Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.
• D. Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to Amazon CloudWatch Logs.

Correct answer: A

Explanation

Isolating the instances in a dedicated VPC and enabling VPC Flow Logs filtered specifically for denied traffic ensures that only failed connection attempts are captured, reducing log volume and storage costs. Publishing these filtered logs directly to Amazon CloudWatch Logs is highly cost-effective and avoids the additional infrastructure costs associated with Amazon Kinesis Data Firehose. Other options either target individual interfaces unnecessarily or introduce extra ingestion layers that increase overall expenses.