AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 259

A company operates in multiple AWS Regions. The company has deployed transit gateways in each Region. The company uses AWS Organizations to operate multiple AWS accounts in one organization.

The company needs to capture all VPC flow log data when a new VPC is created. The company needs to send flow logs to a specific Amazon S3 bucket.

Which solution will meet these requirements with the LEAST administrative effort?

Answer options

• A. Update IAM permissions for each user to include a condition that ensures users can create VPCs only when VPC Flow Logs is enabled and configured correctly.
• B. Create a custom AWS Config rule with automatic remediation that verifies VPC Flow Logs is enabled and configured correctly. Apply the AWS Config rule to the organization.
• C. Enable VPC Flow Logs on each transit gateway. Configure VPC Flow Logs to send flow logs to the specified S3 bucket.
• D. Deploy a serverless application that uses AWS CloudTrail to monitor for VPC creation events in each account. Configure the application to apply the correct VPC Flow Logs configuration.

Correct answer: B

Explanation

Option B is correct because creating an AWS Config rule with automatic remediation ensures that every new VPC has flow logs enabled without requiring continuous manual oversight. Option A relies on user permissions, which can be cumbersome to manage. Option C does not address new VPCs created in different accounts effectively, and option D involves deploying an application that may require more administrative overhead than the automatic checks provided by AWS Config.