Q51 — AWS DOP-C02 Ch.1
Question 51 of 100 | ← Chapter 1
A company deploys an application in a production VPC within a single AWS account. The application is highly popular and experiences high usage. The security team wants to add additional security, such as AWS WAF, but the product manager is concerned about cost and does not want to approve additional spending unless the security team can demonstrate the necessity of extra protection. The security team notes that some application requests may originate from IP addresses on a deny list. The security team provides the DevOps engineer with this deny list. If any IP address from the deny list accesses the application, the security team wants near-real-time automated notifications so they can document that the application requires enhanced security. The DevOps engineer enables VPC Flow Logs for the production VPC.
- A. Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to capture accepted traffic and send data to the log group. Create Amazon CloudWatch metric filters for IP addresses in the deny list. Use the metric filters as input to create CloudWatch alarms. Set the period to 5 minutes and the number of data points to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notifications to the security team. ✓
- B. Create an Amazon S3 bucket for log files. Configure VPC Flow Logs to capture all traffic and send data to the S3 bucket. Configure Amazon Athena to query all log files in the S3 bucket for IP addresses in the deny list. Configure Amazon QuickSight to consume Athena results and publish a dashboard accessible to the security team. Create an alert threshold of 1 for successful access. Configure the alert to auto-notify the security team as frequently as possible upon threshold breach.
- C. Create an Amazon S3 bucket for log files. Configure VPC Flow Logs to capture accepted traffic and send data to the S3 bucket. Configure an Amazon OpenSearch Service cluster and domain for the log files. Create an AWS Lambda function to retrieve logs from the S3 bucket, format them, and load them into the OpenSearch cluster. Schedule the Lambda function to run every 5 minutes. Configure alerts and conditions in OpenSearch Service to send notifications to the security team via an Amazon Simple Notification Service (Amazon SNS) topic when access from a deny-listed IP is detected.
- D. Create a log group in Amazon CloudWatch Logs. Create an Amazon S3 bucket to store query results. Configure VPC Flow Logs to capture all traffic and send data to the log group. Deploy the Amazon Athena CloudWatch Logs connector in AWS Lambda. Connect the connector to the log group. Configure Athena to periodically query for all accepted traffic originating from deny-listed IP addresses and store results in the S3 bucket. Configure S3 event notifications to automatically notify the security team via an Amazon Simple Notification Service (Amazon SNS) topic when new objects are added to the S3 bucket.
Correct Answer: A. Create a log group in Amazon CloudWatch Logs. Configure VPC Flow Logs to capture accepted traffic and send data to the log group. Create Amazon CloudWatch metric filters for IP addresses in the deny list. Use the metric filters as input to create CloudWatch alarms. Set the period to 5 minutes and the number of data points to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notifications to the security team.
Explanation
Option A is the most cost-effective and operationally efficient solution. It leverages native, low-overhead AWS services: VPC Flow Logs (with accepted traffic only), CloudWatch metric filters (lightweight pattern matching), and CloudWatch alarms (simple threshold-based triggering). This avoids expensive, complex infrastructure like OpenSearch clusters (Option C), Athena/QuickSight pipelines (Option B), or Lambda/Athena/S3 orchestration (Option D). Metric filters provide near-real-time detection with minimal latency and cost, and SNS delivers immediate email notifications. All other options introduce unnecessary service dependencies, higher costs, and increased management overhead.