Q7 — AWS ANS-C01 Ch.1
Question 7 of 100 | ← Chapter 1
A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited an application Vulnerability on one of the EC2 instances to gain access to the instance. The company ¦xed the application and launched a replacement EC2 Instance that contains the updated application. The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise through a Noti¦cation from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreading malware. Which solution will meet this requirement with the LEAST operational effort?
- A. Use Amazon GuardDuty to analyze tra¨c patterns by inspecting DNS requests and VPC §ow logs. ✓
- B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures.
- C. Set up a Gateway Load Balancer. Run an intrusion detection system (IDS) appliance from AWS Marketplace on Amazon EC2 for tra¨c Inspection.
- D. Con¦gure Amazon Inspector to perform deep packet inspection of outgoing tra¨c.
Correct Answer: A. Use Amazon GuardDuty to analyze tra¨c patterns by inspecting DNS requests and VPC §ow logs.
Explanation
答案A正确。AmazonGuardDuty能够通过检查DNS请求和VPC流日志来分析流量模式,从而帮助识别部署在EC2实例上的应用程序是否在传播恶意软件。相比其他选项,它具有操作相对简便、能有效满足需求的特点。B选项中部署AWS管理的诱饵系统并配备最新恶意软件签名,操作较为复杂。C选项设置网关负载均衡器并在AmazonEC2上运行IDS设备进行流量检查,也需要较多的配置和管理工作。D选项配置AmazonInspector进行外出流量的深度包检测,同样操作复杂且可能带来较大的资源开销。所以综合来看,A选项是满足需求且操作努力最少的方案。 查看全部