AWS Certified Solutions Architect – Professional — Question 578

A company is running an application distributed over several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The security team requires that all application access attempts be made available for analysis. Information about the client IP address, connection type, and user agent must be included.
Which solution will meet these requirements?

Answer options

• A. Enable EC2 detailed monitoring, and include network logs. Send all logs through Amazon Kinesis Data Firehose to an Amazon Elasticsearch Service (Amazon ES) cluster that the security team uses for analysis.
• B. Enable VPC Flow Logs for all EC2 instance network interfaces. Publish VPC Flow Logs to an Amazon S3 bucket. Have the security team use Amazon Athena to query and analyze the logs.
• C. Enable access logs for the Application Load Balancer, and publish the logs to an Amazon S3 bucket. Have the security team use Amazon Athena to query and analyze the logs.
• D. Enable Traffic Mirroring and specify all EC2 instance network interfaces as the source. Send all traffic information through Amazon Kinesis Data Firehose to an Amazon Elasticsearch Service (Amazon ES) cluster that the security team uses for analysis.

Correct answer: C

Explanation

Application Load Balancer (ALB) access logs capture detailed HTTP/HTTPS request information, including the client's IP address, connection type, and user agent, which can be easily queried using Amazon Athena when stored in Amazon S3. VPC Flow Logs do not capture application-layer details like user agents, making Option B incorrect. Detailed monitoring and Traffic Mirroring (Options A and D) do not provide a straightforward way to extract these specific HTTP attributes and are much more complex to implement.