Q6 — AWS ANS-C01 Ch.1

Question 6 of 100 | ← Chapter 1

A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must Always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group.A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a Change is made to the security group. The solution also must notify the network engineer when the change affects the connection. Which solution will meet these requirements?

Correct Answer: D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as The destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the Security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS Topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a Change to the security group occurs.

Explanation

该题考察在AWS环境中自动化监控安全组变更对网络连通性影响的能力。AWS文档指出,VPC Reachability Analyzer可验证网络路径的连通性。正确配置需要将互联网网关作为路径源,代表来自公共互联网的流量;目标为EC2实例的私有IP,并指定端口443。选项D的路径配置正确,而选项C错误地将安全组作为源。当安全组变更时,EventBridge规则触发Lambda函数执行可达性分析,若失败则通过SNS通知工程师。VPC Flow Logs(选项A和B)被动记录日志,无法主动验证路径有效性,因此不符合"变更时立即验证"的需求。答案原文依据:AWS VPC Reachability Analyzer支持从网关资源(如Internet Gateway)到EC2实例的路径分析,结合EventBridge与Lambda实现自动化检测(AWS re:Invent 2020,安全性与合规性分论坛)。