Q22 — AWS SCS-C02 Ch.1
Question 22 of 100 | ← Chapter 1
A company uses Amazon Elastic Kubernetes Service (Amazon EKS) clusters to run its Kubernetes-based applications.The company uses Amazon GuardDuty to protecttheapplications. EKS Protection is enabled in GuardDuty. However, the coresponding GuardDuty feature is not monitoring the Kubernetes-based applications. Which solution willcause GuardDuty to monitor the Kubernetes-based applications?
- A. Enable VPC flow logs for the VPC thathosts the EKS clusters.
- B. Assign the CloudWatchEventsFulIAccess AWS managed policy to the EKSclusters.
- C. Ensure that the AmazonGuardDutyFullAccess AWS managed policy is attached tothe GuardDuty service role.
- D. Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch. ✓
Correct Answer: D. Enable the control plane logs in Amazon EKS. Ensure that the logs are ingested into Amazon CloudWatch.
Explanation
Amazon GuardDuty的EKS保护功能依赖EKS控制平面日志来检测Kubernetes层面的威胁。仅启用EKS保护功能而不提供相关日志数据,GuardDuty无法监控Kubernetes应用。通过在Amazon EKS中启用控制平面日志(涵盖API服务器、控制器管理器、调度器和etcd等组件),并将这些日志摄取到Amazon CloudWatch,GuardDuty才能获取必要的日志信息,从而实现对Kubernetes应用的安全监控。