AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 232

A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are part of an Amazon EC2 Auto Scaling group.

To comply with new security standards, the company must capture all application access data, including server response codes, request paths, latency, and client IP addresses. The company also needs to query the captured data for performance analysis.

Which solution will meet these requirements?

Answer options

• A. Enable VPC flow logs on the ALB subnets. Store the logs to an Amazon S3 bucket. Query the logs in the S3 bucket by using Amazon Athena.
• B. Configure Amazon VPC Traffic Mirroring on all EC2 elastic network interfaces. Deploy a third-party monitoring appliance from AWS Marketplace in a private subnet. Use Amazon Data Firehose to send all mirrored traffic to the monitoring appliance. Query the logs directly from the monitoring appliance.
• C. Configure Amazon CloudWatch detailed monitoring on the EC2 instances Include all available logs. Use Amazon Data Firehose to send all the collected logs to an Amazon S3 bucket. Query the data directly from the S3 bucket.
• D. Enable access logs on the ALB. Store the logs in an Amazon S3 bucket. Query the logs in the S3 bucket by using Amazon Athena.

Correct answer: D

Explanation

Enabling access logs on the ALB captures all necessary application access data, including server response codes, request paths, latency, and client IPs, and storing them in an S3 bucket allows for querying with Amazon Athena. The other options either do not capture all required data or involve unnecessary complexity, such as third-party tools or traffic mirroring that do not specifically address the logging of access data from the ALB.