Q60 — AWS ANS-C01 Ch.1
Question 60 of 100 | ← Chapter 1
A company has a transit gateway in a single AWS account. The company sends flow logs for the transit gateway to an Amazon CloudWatch Logs Log group. The company created an AWS Lambda function to analyze the logs. The Lambda function sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a VPC generates traffic that is dropped by the transit gateway. Each notification contains the account ID. VPC ID, and total amount of dropped packets. The company wants to subscribe a new Lambda function to the SNS topic. The new Lambda function must automatically prevent the traffic that is Identified in each notification from leaving a VPC by applying a network ACL to the transit gateway attachment subnets in the VPC that generates The traffic. Which solution will meet these requirements?
- A. Configure the existing Lambda function to add the destination IP addresses of the dropped traffic to each SNS notification. Configure the New Lambda function to create an outbound rule by using the destination IP addresses in the network ACL.
- B. Configure the existing Lambda function to add the source IP addresses of the dropped traffic to each SNS notification. Configure the new Lambda function to create an inbound rule by using the source IP addresses in the network ACL. ✓
- C. Configure the existing Lambda function to add the source IP addresses of the dropped traffic to each SNS notification. Configure the new Lambda function to create an outbound rule by using the source IP addresses in the network ACL.
- D. Configure the existing Lambda function to add the destination IP addresses of the dropped traffic to each SNS notification. Configure the New Lambda function to create an inbound rule by using the destination IP addresses in the network ACL.
Correct Answer: B. Configure the existing Lambda function to add the source IP addresses of the dropped traffic to each SNS notification. Configure the new Lambda function to create an inbound rule by using the source IP addresses in the network ACL.
Explanation
AWS网络ACL配置与流量方向处理。AWS文档指出网络ACL的入站规则控制进入子网的流量。现有Lambda函数将源IP(发起被阻断流量的IP)加入通知,新Lambda据此在入站规则中阻止这些来源,阻止其进入子网,从而避免后续流量被传输网关丢弃。选项B正确对应源IP与入站规则组合。其他选项未正确匹配流量方向与规则类型。