Q21 — AWS DOP-C02 Ch.3

Question 21 of 100 | ← Chapter 3

A company’s DevOps engineer works in a multi-account environment. The company uses AWS Transit Gateway to route cross-account traffic through a network operations account. In the network operations account, all cross-account traffic is inspected by firewall appliances before being routed to the internet gateway. The firewall appliances send logs to Amazon CloudWatch Logs, including events with severity levels: Critical, High, Medium, Low, and Informational. The security team wants to receive alerts whenever any Critical event occurs. How should the DevOps engineer meet these requirements?

Correct Answer: B. Create an Amazon CloudWatch metric filter by searching for critical events. Publish custom metrics based on the filter results. Use a CloudWatch alarm based on the custom metric to publish notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to that topic.

Explanation

Log-based alerting requires converting log content into actionable metrics. Since firewall logs are already ingested into CloudWatch Logs, the optimal approach is to extract critical events using CloudWatch metric filters, emit them as custom metrics, and trigger alarms. Option B implements this pattern directly. Option A’s Synthetics is for endpoint health monitoring—not log analysis. Option C’s GuardDuty analyzes VPC Flow Logs, not firewall appliance logs. Option D’s Firewall Manager governs policy enforcement, not log-derived alerts. Thus, option B is the only solution leveraging existing log ingestion and enabling precise, severity-based alerting.