A company has a transit gateway in a single AWS account. The company sends flow logs for…

Question

A company has a transit gateway in a single AWS account. The company sends flow logs for the transit gateway to an Amazon CloudWatch Logs log group. The company created an AWS Lambda function to analyze the logs. The Lambda function sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a VPC generates traffic that is dropped by the transit gateway. Each notification contains the account ID. VPC ID, and total amount of dropped packets. The company wants to subscribe a new Lambda function to the SNS topic. The new Lambda function must automatically prevent the traffic that is identified in each notification from leaving a VPC by applying a network ACL to the transit gateway attachment subnets in the VPC that generates the traffic. Which solution will meet these requirements?

Accepted Answer

Correct answer: A. A. Configure the existing Lambda function to add the destination IP addresses of the dropped traffic to each SNS notification. Configure the new Lambda function to create an outbound rule by using the destination IP addresses in the network ACL. — The correct solution is A because it requires adding the destination IP addresses of the dropped traffic to the notifications, which are needed to block outbound traffic from the VPC. Options B and C incorrectly focus on source IP addresses, which would not effectively prevent the dropped traffic from leaving. Option D suggests creating an inbound rule, which does not address the need to stop outbound traffic.

AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 244

Answer options

Correct answer: A

Explanation