Q39 — AWS SCS-C02 Ch.1
Question 39 of 100 | ← Chapter 1
A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company has set up Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers. A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers. The logs must show details of the source IP address of the instance from which the query originated. The logs also must show the DNS name that was requested in Route 53 Resolver. Which solution will meet these requirements?
- A. Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the traffic source, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as the mirror target.
- B. Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
- C. Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IP address and DNS name. ✓
- D. Modify the Route 53 Resolver rules on the authoritative domains that forward to the on-premises DNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
Correct Answer: C. Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IP address and DNS name.
Explanation
该题涉及Amazon Route 53 Resolver的日志记录功能。AWS官方文档指出,Route 53 Resolver查询日志可捕获DNS查询的详细信息,包括源IP地址和请求的域名。选项C通过启用Resolver查询日志并发送到CloudWatch Logs,符合直接记录和查询这两个字段的需求。选项A的Traffic Mirroring适用于网络流量复制而非专用DNS日志记录;选项B的VPC流日志仅记录IP流量元数据,不含DNS查询内容;选项D未明确提及Resolver日志配置且存储位置可能不匹配查询工具。正确答案与Resolver查询日志功能的使用场景一致。