Exam ANS-C00 topic 1 question 58 discussion

Flow logs are L4 only. The question clearly says L7 logging. The decision is between B&D. There is no way/option to take packet captures at a VPC level, you have to do it at interface level so its B.

Out of all the options ACCEPT/REJECT will be shown by VPC logs. Packet Sniffing will not show if a packet was discarded or will be discarded (depending on where you sniff). The Cloudwatch - seems more like a monitoring tool that can collect among other things, also the VPC logs but not enable them. So I would go with C as the closest answer

Flow Logs doesn't contain l7 information. Only L4. Packet sniffing is not possible on the vpc level. Cloud Watch will not show REJECTED traffic. That give us only B as an option.

A - cloudwatch is going to receive the data from an agent installed on the instances, so it's only going to log what's reaches the instance, so it won't see REJECT traffic. B - on instance level, won't see REJECT traffic C - will get REJECT, but it's specifically stated in documentation that Flow Logs are L4 only. D - if this means packet mirroring, it can be defined for several instances, and will log REJECT traffic, so this looks like the correct answer

the only way to troubleshoot ACCEPT/REJECT is to use VPC Flow logs where you use metric filters

Since flow logs are with 5 tuples(src/dst ip , src/dst port and protocol) which says only L4 info. L2-L7 info can be taken by capturing only. I would go with B

The answer is C. The VPC flow log can diagnose allowed and denied traffic based on security groups and NACL rules, so it can log layer 7 protocols for all network traffic (ACCEPT / REJECT) on the instance. I can do it.

B => Traffic Mirroring works at interface level, also in the question it asks "application layer logs" which means some filter need to be there. Traffice mirroring -has the filtering capability.

If packet sniffing = Traffic Mirroring, then Correct Answer is D. This ismanaged at VPC level. So easy to maintain. https://aws.amazon.com/blogs/aws/new-vpc-traffic-mirroring/

There should be Traffic Mirroring option or B is the ans

The question clearly says multiple EC2 instances, so instance level sniffing might not work. With VPC traffic mirroring feature, you can sniff traffic at VPC level, please see the link below. Therefore I am going with answer D https://aws.amazon.com/blogs/aws/new-vpc-traffic-mirroring/

Not C https://www.guardicore.com/2018/02/improving-workload-security-in-aws/

The question is asking to log accept/reject traffic in layer 7. Flow Logs collects the protocol, accept/reject among other stuff, so it does the work. C should be the right one.

Here is a paragraph taken from: https://www.guardicore.com/2018/02/improving-workload-security-in-aws/?from=singlemessage&isappinstalled=0 "While we highly recommend using VPC Flow Logs, you should be aware that this feature only works on Layer 4 of TCP/IP stack and that it is restricted to network-level monitoring. More sophisticated attacks are carried out on Layer 7, so it’s important that your organization invests in the right combination of tools; doing so will give you the complete security picture of your environment that is running in AWS." On the other hand, another article argues that "Because a significant portion of today’s network traffic is encrypted and application data is unavailable for analysts, the lack of Layer 7 information in flow records is of little concern. Flow analysis techniques work exactly the same for both encrypted and unencrypted communications. This makes flow analysis a great method for threat hunting without the need for SSL/TLS interception and full-packet capture." Taking all of these into account, I will go with C because it will generate a ACCEPT/REJECT for layer 7 protocol (http, https, ssh etc).

C cannot be the answer since VPC Flow Logs doesn't support Layer 7 information. I would go with D here since B doesn't can't tell us if a packet got rejected by the instance.

C is the answer. Straight out of AWS documentation: VPC Flow logs include ACCEPT/REJECT field https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-accepted-rejected 2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK 2 123456789010 eni-1235b8ca123456789 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK

My answer is C