Exam ANS-C00 topic 1 question 3 discussion

It should be B,D. VPC Flow Logs and Lambda.

A: incorrect, obviously IGW has nothing to do on security assessment B: correct, Flowlogs will show all traffic up to L4, good to detect any port scanning C: incorrect, Cloudtrails is triggered only when an API is called which is not the case for port scanning D: correct, Lambda will be triggered when a port scanning is detected from flow logs E: incorrect, inspector is a proactive vulnerability scanner for port vulnerabilities but do not detect a potential port scanning

B. VPC Flow Logs, D. Lambda. Explanation: VPC Flow Logs can be used to capture information about the IP traffic going to and from network interfaces in your VPC, which would include any port scans. AWS Lambda can then be used to automate the response to these logs, such as triggering a notification to the security team when a port scan is detected. AWS CloudTrail is used for auditing AWS account activity and would not directly detect a port scan. An Internet gateway is a component that allows communication between instances in your VPC and the internet, but it does not provide monitoring capabilities. AWS Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS, but it does not monitor for port scans in real-time.

This is not asking for us to scan the ports. It is rather asking for an automated solution to notify in case of port scanning event. While Inspector can provide scanning capabilities, that's not what we are asked for. FlowLogs allow to understand the ports scanned. Lambda can be used for analysis and automation.

Correct Answer CD

BE . You might need to run network port-scanning tools to test routing and firewall configurations, then validate what processes are listening on your instance network ports, before finally mapping the IPs identified in the port scan back to the host’s owner. To make this process simpler for our customers, AWS recently released the Network Reachability rules package in Amazon Inspector, our automated security assessment service that enables you to understand and improve the security and compliance of applications deployed on AWS

Will go with B and D..based on ""Are attempts being made to find open ports or other potential security vulnerabilities in your configuration?" true in this case...nothing about having this done in real time

Everyone agreed that Answer: D is one of the correct answer. So, let's leave this. Option:B VPC Flow Logs (This is reactive method. i.e. If someone scanned, then you will get the details in VPC flow logs and you can write custom lambda and do action). This will work for sure. https://blog.runpanther.io/aws-security-logging-vpc-flow-logs/ Option:E AWS Inspector (Pro-active method. This also work. Inspector analyzing the VPC SG, NACL and etc., configuration and will tell you the security issues proactively. I will definitely use this). https://aws.amazon.com/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/ So, after reading the question, they were asking 'Alert if someone scanned', so my answer would be "VPC Flow logs" (From exam point of view).

D & E. Check this link. It doesn't require Amazon Inspector agent to be installed. We can schedule a Lambda function to do this job. https://aws.amazon.com/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/

The answer, in my opinion is, CD Because VPC Logs can have alarms but you cant create events events can be created for Cloudtrails and add targets which would be SNS, Lambda etc.

Inspector tells you if there is a port vulnerability i.e. exposed port .It can not tell if there was an attempt to do port scan . That rules out Amazon Inspector Option.

In basic, port scan is a method that sends TCP SYN request to specific port to detect it is opened or not. So it can record in VPC Flows Log. So for me, B, D are correct answers.

C and D , VPC Flow logs monitoring the traffic to capture (accepted traffic, rejected traffic, or all traffic)

B and D are correct. Refer to the following link: https://www.sumologic.com/insight/use-aws-vpc-flow-logs/ One of the VPC Flow Logs values is the ability to detect and block vulnerability scans against their network by checking for ping sweeps, port scans and other malicious activity associated with attempts to discover weaknesses in the network. Once the sources of such scans are identified, security admins can block them from further access in order to prevent intrusions. In addition, to protect your AWS platform from being port scanned by external systems, you can use AWS Lambda scripts to run periodically.

It's either B/D or D/E. I lean toward B/D VPC Flow Logs for the port scan and Lambda for the trigger. https://www.flowtraq.com/working-vpc-flow-logs/

D and E Please check this: https://aws.amazon.com/es/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/

I will go with B and D. The destination/infrastructure port scanned by port scanner will be logged by the VPC Flow logs. For example, that our infrastructure does not use Telnet (port 23). We want to be alerted when traffic is directed at this port as this is most likely malicious traffic. VPC Flow logs will mark those scanned port and using the AWS Lambda an alert can be generated for the Administrators.