AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 164

A company is developing a new application that is deployed in multiple VPCs across multiple AWS Regions. The VPCs are connected through AWS Transit Gateway. The VPCs contain private subnets and public subnets.

All outbound internet traffic in the private subnets must be audited and logged. The company's network engineer plans to use AWS Network Firewall and must ensure that all traffic through Network Firewall is completely logged for auditing and alerting.

How should the network engineer configure Network Firewall logging to meet these requirements?

Answer options

• A. Configure Network Firewall logging in Amazon CloudWatch to capture all alerts. Send the logs to a log group in Amazon CloudWatch Logs.
• B. Configure Network Firewall logging in Network Firewall to capture all alerts and flow logs.
• C. Configure Network Firewall logging by configuring VPC Flow Logs for the firewall endpoint. Send the logs to a log group in Amazon CloudWatch Logs.
• D. Configure Network Firewall logging by configuring AWS CloudTrail to capture data events.

Correct answer: B

Explanation

The correct answer is B because configuring logging directly in Network Firewall allows for comprehensive capture of both alerts and flow logs, which is essential for auditing and alerting. Option A focuses only on alerts without capturing flow logs, while Option C relies on VPC Flow Logs which may not provide the complete logging required for auditing. Option D, using AWS CloudTrail, is not suitable for logging network traffic as it primarily captures API calls and not detailed network traffic logs.