AWS Certified Security – Specialty — Question 257

An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected.
How can the Application team's requirements be met?

Answer options

• A. Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
• B. Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.
• C. Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
• D. Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.

Correct answer: A

Explanation

The correct answer is A because VPC Flow Logs provide detailed information about the IP traffic going to and from network interfaces in your VPC, which is essential for monitoring network ACLs and security groups. Options B and C are not suitable as they focus on different services or configurations that do not directly address the requirement of monitoring network access. Option D, while useful for tracking API calls, does not provide the necessary details about network traffic behavior.