Q95 — AWS ANS-C01 Ch.1
Question 95 of 100 | ← Chapter 1
A banking company has an application that must connect to specific public IP addresses from a VPC. A network engineer has configured routes in The route table that is associated with the application’s subnet to the required public IP addresses through an internet gateway. The network engineer needs to set up email notifications that will alert the network engineer when a user adds a default route to the application Subnet's route table with the internet gateway as a target. Which solution will meet these requirements with the LEAST implementation effort?
- A. Create an AWS Lambda function that reads the routes in the route table and sends an email notification. Configure the Lambda function to Send an email notification if any route is configured with 0.0.0.0/0 or ::/0 CIDRs to the internet gateway. Configure the Lambda function to run Every minute. ✓
- B. Create an AWS Lambda function that will be invoked by an Amazon EC2 CreateRoute API call. Configure the Lambda function to send an Email notification. Configure the Lambda function to send an email notification if any route is configured with 0.0.0.0/0 or ::/0 CIDRs to the Internet gateway.
- C. Create AWS Config rules for the route table by using the internet-gateway-authorized-vpc-only managed rule. Create an Amazon EventBridge Rule to match the AWS Config rule and to route to an Amazon Simple Notification Service (Amazon SNS) topic to send an email notification.
- D. Create an AWS Config rule for the route table by using the no-unrestricted-route-to-igw managed rule. Create an Amazon EventBridge rule to Match the AWS Config rule and to route to an Amazon Simple Notification Service (Amazon SNS) topic to send an email notification.
Correct Answer: A. Create an AWS Lambda function that reads the routes in the route table and sends an email notification. Configure the Lambda function to Send an email notification if any route is configured with 0.0.0.0/0 or ::/0 CIDRs to the internet gateway. Configure the Lambda function to run Every minute.
Explanation
该题核心在于实时监控VPC路由表是否被添加指向互联网网关的默认路由(0.0.0.0/0或::/0)。AWS原生服务中,Lambda定时轮询路由表配置是最直接的解决方案。选项A通过Lambda每分钟主动检查路由表,若检测到符合条件的路由则触发通知,无需依赖其他服务的复杂集成(如AWS Config规则配置、事件规则匹配),实现路径最短且代码逻辑简单。其他选项或需深度绑定API调用触发(B的事件源配置复杂)、或依赖AWS Config托管规则与EventBridge联动(C/D需确保规则存在且配置完整),均引入额外复杂度。