Q21 — AWS DOP-C02 Ch.3
Question 21 of 100 | ← Chapter 3
A company’s DevOps engineer works in a multi-account environment. The company uses AWS Transit Gateway to route cross-account traffic through a network operations account. In the network operations account, all cross-account traffic is inspected by firewall appliances before being routed to the internet gateway. The firewall appliances send logs to Amazon CloudWatch Logs, including events with severity levels: Critical, High, Medium, Low, and Informational. The security team wants to receive alerts whenever any Critical event occurs. How should the DevOps engineer meet these requirements?
- A. Create an Amazon CloudWatch Synthetics canary to monitor firewall status. Use a CloudWatch alarm to publish notifications to an Amazon Simple Notification Service (Amazon SNS) topic if the firewall reaches a critical state or logs a critical event. Subscribe the security team’s email address to that topic.
- B. Create an Amazon CloudWatch metric filter by searching for critical events. Publish custom metrics based on the filter results. Use a CloudWatch alarm based on the custom metric to publish notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to that topic. ✓
- C. Enable Amazon GuardDuty in the network operations account. Configure GuardDuty to monitor flow logs. Create an Amazon EventBridge rule triggered by important GuardDuty findings. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target. Subscribe the security team’s email address to that topic.
- D. Use AWS Firewall Manager to apply consistent policies across all accounts. Create an Amazon EventBridge rule triggered by important Firewall Manager events. Define an Amazon Simple Notification Service (Amazon SNS) topic as the target. Subscribe the security team’s email address to that topic.
Correct Answer: B. Create an Amazon CloudWatch metric filter by searching for critical events. Publish custom metrics based on the filter results. Use a CloudWatch alarm based on the custom metric to publish notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to that topic.
Explanation
Log-based alerting requires converting log content into actionable metrics. Since firewall logs are already ingested into CloudWatch Logs, the optimal approach is to extract critical events using CloudWatch metric filters, emit them as custom metrics, and trigger alarms. Option B implements this pattern directly. Option A’s Synthetics is for endpoint health monitoring—not log analysis. Option C’s GuardDuty analyzes VPC Flow Logs, not firewall appliance logs. Option D’s Firewall Manager governs policy enforcement, not log-derived alerts. Thus, option B is the only solution leveraging existing log ingestion and enabling precise, severity-based alerting.