AWS Certified Security – Specialty (SCS-C02) — Question 265
A company hosts its microservices application on Amazon Elastic Kubernetes Service (Amazon EKS). The company has set up continuous deployments to update the application on demand.
A security engineer must implement a solution to provide automatic detection of anomalies in application logs in near real time. The solution also must send notifications about these anomalies to the security team.
Which solution will meet these requirements?
Answer options
- A. Configure Amazon CloudWatch Container Insights to collect and aggregate EKS application logs. Create a CloudWatch alarm to monitor for anomalies. Configure the alarm to launch an AWS Lambda function to alert the security team when anomalies are detected.
- B. Configure Amazon EKS to send application logs to Amazon CloudWatch. Create a CloudWatch alarm based on a log group metric filter. Specify anomaly detection as the threshold type. Configure the alarm to use Amazon Simple Notification Service (Amazon SNS) to alert the security team.
- C. Configure Amazon EKS to export logs to Amazon S3. Use Amazon Athena queries to analyze the logs for anomalies. Use Amazon QuickSight to visualize and monitor user access requests for anomalies. Configure Amazon Simple Notification Service (Amazon SNS) notifications to alert the security team.
- D. Configure AWS App Mesh to monitor the traffic to the microservices in Amazon EKS. Integrate App Mesh with AWS CloudTrail for logging. Use Amazon Detective to analyze the logs for anomalies and to alert the security team when anomalies are detected.
Correct answer: B
Explanation
Option B is correct because streaming Amazon EKS application logs to Amazon CloudWatch and applying CloudWatch anomaly detection on a metric filter allows for near-real-time automated detection and alerting via Amazon SNS. Option A is incorrect because CloudWatch Container Insights focuses on performance metrics rather than analyzing application logs for anomaly detection. Options C and D are incorrect as they involve batch-oriented or non-real-time mechanisms (like Athena queries and QuickSight) or incorrect services (like App Mesh with CloudTrail and Detective) that do not support automated, near-real-time log anomaly alerting.