ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 44 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 44
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected.
How can the Application team's requirements be met?

  • A. Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
  • B. Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.
  • C. Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
  • D. Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by roger8978 at Dec. 29, 2021, 1:54 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
BKhan
Highly Voted 3 years, 1 month ago
Ans is A; AWS Config rule for each network ACL and security group is not a good option. If we have 100 ACL and SG means we need 100 rules. VPC Flow log is an easy option and no need to manual work.
upvoted 10 times
...
Sickcnt
Most Recent 1 year, 7 months ago
Selected Answer: C
Cloud Network Engineer here: Imagine a scenario: You write a Network ACL random network for eg 99.0.0.0/24 is DENIED and everything else 0.0.0.0/0 is ALLOWED You start testing and see Flow Logs. You see that everything is ALLOWED for 5 hours straight you are happy and go to bed But what happens if everything is allowed cause data was NOT generated from 99.0.0.0/24 during the test? In order for Answer A to be correct is to test EVERY SINGLE THING thats on the ACL (and that could be 70-80-90 rules not just the 2 I wrote) I would go with Option C
upvoted 1 times
shammous
3 months, 3 weeks ago
AWS Config is great for tracking configuration compliance and auditing changes to ACLs and security groups. VPC Flow Logs are the better choice for analyzing network traffic and verifying that ACLs and security groups are performing as expected. Option A is the correct answer in this case.
upvoted 1 times
...
Sickcnt
1 year, 7 months ago
For option C with AWS Config we have a couple of rules that I found that could monitor the Security Group: vpc-sg-open-only-to-authorized-ports: "Checks if security groups allowing unrestricted incoming traffic ('0.0.0.0/0' or '::/0') only allow inbound TCP or UDP connections on authorized ports. The rule is NON_COMPLIANT if such security groups do not have ports specified in the rule parameters."
upvoted 1 times
...
Sickcnt
1 year, 7 months ago
The more I think about it Option A could be an option if they are specifically testing for their applications I guess.. :\
upvoted 1 times
...
...
ITGURU51
1 year, 9 months ago
A is the best answer because it gets the job done and is more efficient than C.
upvoted 2 times
virtual
1 year ago
Yes I think the goal is to check whether there are not REJECT records. So A is correct.
upvoted 1 times
...
...
Blue15
1 year, 9 months ago
Selected Answer: A
A is the answer. I present the evidence below. https://docs.aws.amazon.com/en_us/vpc/latest/userguide/flow-logs.html
upvoted 3 times
...
MikeDuB
2 years, 2 months ago
Answer is A to me. C is an overkill
upvoted 1 times
...
boooliyooo
2 years, 2 months ago
I don't see this question as Compliance but rather; as an operation flow instead. Making sure things are working.
upvoted 1 times
...
arae
2 years, 3 months ago
I dont understand how A is right? If we use config then we are 99% sure that the acl and sg are working as expected all the time, if we use the vpc flow logs with athena then we need to query the s3 every single time we want to check right? I went with C but please tell me how am i wrong.
upvoted 2 times
...
arae
2 years, 4 months ago
isnt the answer C? i mean this is a compliance use case
upvoted 3 times
...
sapien45
2 years, 5 months ago
Selected Answer: A
Amazon Athena is an interactive query service that enables you to analyze data in Amazon S3, such as your flow logs, using standard SQL. You can use Athena with VPC Flow Logs to quickly get actionable insights about the traffic flowing through your VPC. For example, you can identify which resources in your virtual private clouds (VPCs) are the top talkers or identify the IP addresses with the most rejected TCP connections. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-athena.html
upvoted 2 times
...
lotfi50
2 years, 8 months ago
Selected Answer: A
A is a good answer
upvoted 2 times
...
roger8978
3 years, 1 month ago
C..... AWS Config rule > Manage Remediation > S3 > Athena
upvoted 2 times
...
argol
3 years, 1 month ago
A, "https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/"
upvoted 2 times
...
roger8978
3 years, 1 month ago
Compliance so it should be C
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago