AWS Certified Security – Specialty — Question 400

A company hosts business-critical applications on Amazon EC2 instances in a VPC. The VPC uses default DHCP options sets. A security engineer needs to log all DNS queries that internal resources make in the VPC. The security engineer also must create a list of the most common DNS queries over time.

Which solution will meet these requirements?

Answer options

• A. Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common DNS queries.
• B. Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.
• C. Create VPC flow logs for all subnets in the VPStream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.
• D. Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.

Correct answer: D

Explanation

Amazon Route 53 Resolver query logging is the native AWS service designed to capture DNS queries originating from resources within a VPC. By streaming these logs to Amazon CloudWatch Logs, you can use Amazon CloudWatch Contributor Insights to analyze the log data and easily identify the most common DNS queries over time. Other solutions either introduce unnecessary operational overhead, like installing agents or BIND servers, or cannot capture the actual DNS query domain names, as is the case with VPC flow logs.