Q62 — AWS ANS-C01 Ch.1
Question 62 of 100 | ← Chapter 1
A company is developing a new application that is deployed in multiple VPCs across multiple AWS Regions. The VPCs are connected through AWS Transit Gateway. The VPCs contain private subnets and public subnets. All outbound internet traffic in the private subnets must be audited and logged. The company's network engineer plans to use AWS Network Firewall and must ensure that all traffic through Network Firewall is completely logged for auditing and alerting. How should the network engineer configure Network Firewall logging to meet these requirements?
- A. Configure Network Firewall logging in Amazon CloudWatch to capture all alerts. Send the logs to a log group in Amazon CloudWatch Logs.
- B. Configure Network Firewall logging in Network Firewall to capture all alerts and flow logs. ✓
- C. Configure Network Firewall logging by configuring VPC Flow Logs for the firewall endpoint. Send the logs to a log group in Amazon CloudWatch Logs.
- D. Configure Network Firewall logging by configuring AWS CloudTrail to capture data events.
Correct Answer: B. Configure Network Firewall logging in Network Firewall to capture all alerts and flow logs.
Explanation
AWS Network Firewall提供两种日志类型:警报日志(记录规则匹配事件)和流量日志(记录所有经过防火墙的流量数据。根据AWS官方文档,启用完整日志记录需要同时配置这两种日志类型。选项A仅包含警报日志,未涵盖流量日志。选项C错误地将VPC流日志与防火墙日志混淆。选项D的CloudTrail不记录网络流量元数据。选项B正确配置了警报日志和流量日志的组合,满足审计全部流量的需求。AWS文档明确指出Network Firewall的日志功能需在防火墙设置中独立启用警报及流量日志。