Q52 — AWS ANS-C01 Ch.1

Question 52 of 100 | ← Chapter 1

A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might be accessing Resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate Subnets within the same VPC and have a Cluster Autoscaler con¦gured. The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team Wants to limit the number of §ow logs and wants to examine the tra¨c from only the two applications. Which solution will meet these requirements with the LEAST operational overhead?

Correct Answer: D. Create VPC §ow logs in a custom format. Create a ¦lter to gather §ow logs only from the EKS nodes. Include the pkt-srcaddr ¦eld and the Pkt-dstaddr ¦eld in the §ow logs.

Explanation

为了满足安全团队的需求,即确定哪个PODIP地址在整个VPC中与哪些服务进行通信,并且限制流日志的数量以及只检查两个应用程序的流量,需要采用一种高效的日志收集策略。选项D提出了创建VPC流日志的自定义格式,并设置一个过滤器来仅收集来自EKS节点的流日志。这种方法能够精确地定位到EKS节点上的流量,减少了不必要的数据收集,从而降低了操作开销。同时,包含pkt-srcaddr字段和pkt-dstaddr字段能够确保捕获到源和目标IP地址信息,这对于分析POD与服务之间的通信至关重要。因此,选项D是最符合题目要求的解决方案。 查看全部