Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 318 discussion

C. VPC Flow Logs Flow logs capture network traffic in your VPC, including RDP traffic (TCP port 3389). This is the only way to detect RDP session attempts from a network perspective without needing to install agents on the instances. D. CloudWatch Logs destination for flow logs To analyze flow logs, you must send them somewhere — CloudWatch Logs is a common destination. Once in CloudWatch Logs, you can search and filter for RDP traffic patterns. E. Metric filter on the log group You can create a CloudWatch metric filter to count log events that match RDP connections. Filter pattern would look for destination port 3389 and action "ACCEPT".

C. Create a flow log in VPC Flow Logs. • Why? VPC Flow Logs capture information about the traffic to and from network interfaces in your VPC. This is crucial for identifying and analyzing RDP sessions, which use TCP port 3389 by default. D. Create an Amazon CloudWatch Logs log group. Specify the log group as a destination for the flow log. • Why? The captured VPC Flow Logs must be stored in a destination to enable analysis. Specifying a CloudWatch Logs log group allows for centralized storage and querying of logs. E. Create a log group metric filter. • Why? A metric filter enables you to extract specific metrics from the flow logs. You can filter for traffic using port 3389 (RDP) and create a metric to count the sessions.

I see CDE, no need for EventBridge

You can use a subscription filter with Amazon Kinesis Data Streams, AWS Lambda, or Amazon Data Firehos https://docs.aws.amazon.com/ja_jp/AmazonCloudWatch/latest/logs/SubscriptionFilters.html

By using an Amazon ECR pull through cache rule (Option C) and setting up the necessary VPC endpoints for private ECR (Option E) and S3 (Option F), the company can: Eliminate Internet Access: Remove NAT gateways and internet gateways from the VPC. Maintain Image Access: Allow ECS tasks to pull images from both private and public ECR repositories without internet access. Ensure Image Updates: Automatically receive updates to public images within 24 hours via the pull through cache. Minimize Operational Overhead: Avoid complex setups with additional services like CodeBuild, Lambda, or custom scripts.

The best approach for collecting metrics about RDP sessions is to use VPC Flow Logs, send them to CloudWatch Logs, and then create a metric filter to extract the relevant information (such as RDP traffic on port 3389). Option B, D, and E cover the necessary steps for implementing this solution.