Q30 — AWS ANS-C01 Ch.1

Question 30 of 100 | ← Chapter 1

A company has deployed an application in a VPC that uses a NAT gateway for outbound tra¨c to the internet. A network engineer notices a large Quantity of suspicious network tra¨c that is traveling from the VPC over the internet to IP addresses that are included on a deny list. The network Engineer must implement a solution to determine which AWS resources are generating the suspicious tra¨c. The solution must minimize cost and Administrative overhead. Which solution will meet these requirements?

Correct Answer: C. Use VPC §ow logs. Publish the §ow logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the §ow logs To identify the AWS resources that are generating the suspicious tra¨c.

Explanation

在解决此问题时,目标是确定哪个AWS资源正在生成可疑流量,同时要求解决方案成本最低且管理开销最小。A选项通过EC2实例和流量镜像来捕获和分析流量,但这种方法增加了额外的EC2成本和管理复杂性。B选项使用VPC流日志和SIEM解决方案,虽然有效,但SIEM解决方案的部署和配置可能增加成本和复杂性。C选项使用VPC流日志并将其发布到CloudWatchLogs,然后使用CloudWatchLogsInsights进行查询。这种方法既经济又高效,因为CloudWatchLogsInsights提供了强大的查询能力来分析流量日志,且无需额外部署复杂的SIEM系统。D选项虽然使用了Kinesis和Athena等高级服务,但这种方法在成本和管理复杂性上可能更高,不适合最小化成本和开销的要求。因此,C选项是最佳选择。 查看全部