AWS Certified Security – Specialty (SCS-C02) — Question 281

A company’s security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service. AWS CloudTrail trails are enabled in all of the company’s AWS accounts. VPC flow logs are enabled for all VPCs.

A security engineer must identify any EC2 instances that attempt to use Network Time Protocol (NTP) servers on the internet.

Which solution will meet these requirements?

Answer options

• A. Monitor CloudTrail logs for API calls to non-standard time servers.
• B. Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.
• C. Monitor VPC flow logs for traffic to non-standard time servers.
• D. Monitor VPC flow logs for traffic to the Amazon Time Sync Service.

Correct answer: C

Explanation

Network Time Protocol (NTP) traffic operates at the network layer (UDP port 123) rather than through AWS API calls, which rules out AWS CloudTrail as a detection mechanism. By monitoring VPC flow logs, security engineers can inspect network packets and identify instances sending outbound traffic to external, non-standard NTP IP addresses on the internet. This allows the organization to pinpoint EC2 instances failing to comply with the Amazon Time Sync Service policy.