AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 82
A company's IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint.
What is the MOST cost-effective solution that meets these requirements?
Answer options
- A. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL. Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the security team.
- B. Enable Amazon GuardDuty on the account and the specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the security team.
- C. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notify the security team.
- D. Enable Amazon GuardDuty on the account and specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm from GuardDuty.
Correct answer: A
Explanation
Option A is the most cost-effective solution as it utilizes existing features like network ACLs and VPC Flow Logs to control access and monitor rejected connections, which allows for efficient notification without incurring extra costs. Option B and D involve using Amazon GuardDuty, which incurs additional charges, and do not provide the same level of direct control over the IP communication. Option C, while similar to A, incorrectly sets the VPC Flow Logs filter to REJECT rather than ALL, potentially missing valid traffic logs.