ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 132 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 132
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Engineer discovered a vulnerability in an application running on Amazon ECS. The vulnerability allowed attackers to install malicious code. Analysis of the code shows it exfiltrates data on port 5353 in batches at random time intervals.
While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?

  • A. Enable AWS Shield Advanced and AWS WAF. Configure an AWS WAF custom filter for egress traffic on port 5353
  • B. Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.
  • C. Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.
  • D. Use Amazon Athena to query AWS CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by awssecuritynewbie at March 18, 2020, 10:46 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
awssecuritynewbie
Highly Voted 3 years, 7 months ago
Correct VPC flowlogs will help you to detect the network traffic in VPC and NACL outbound to block traffic
upvoted 18 times
...
PatrykMilewski
Highly Voted 3 years, 7 months ago
C for me
upvoted 10 times
...
Raphaello
Most Recent 1 year, 2 months ago
Selected Answer: C
C is the right answer.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
The VPC flow logs can be used to identify the C2 traffic which is using port 5353.
upvoted 1 times
...
[Removed]
2 years, 5 months ago
To quickly identify all compromised hosts and stop the egress of data on port 5353, the following steps can be taken: Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. This will allow you to monitor and identify any hosts that are exfiltrating data on port 5353. Update the NACLs to block port 5353 outbound. This will prevent any further exfiltration of data on port 5353. Option C is the best solution because it allows you to quickly identify the compromised hosts and stop the egress of data on port 5353 using VPC Flow Logs and NACLs.
upvoted 1 times
...
sapien45
2 years, 8 months ago
Selected Answer: C
It it VPCFlow Logs and not CloudTrail that contains port information. and Inspector is not supported on ECS
upvoted 1 times
...
Rja148393
2 years, 9 months ago
Selected Answer: C
C and Not B , because in network reachability package of inspector does not support ECR https://docs.aws.amazon.com/inspector/latest/user/findings-types.html. Thanks Hariru for the nudge in the right direction
upvoted 4 times
...
lotfi50
3 years, 2 months ago
why not B ? inspector is good service to dectect vulnerability ?
upvoted 4 times
...
Radhaghosh
3 years, 3 months ago
C is the correct answer
upvoted 1 times
...
Hariru
3 years, 5 months ago
Selected Answer: C
Its C because: D is saying Cloudtrail, which doesnt have any port information. Additionally SG cant block. B says inspector which is for EC2 A says total nonsense.
upvoted 2 times
...
kiev
3 years, 6 months ago
C for me as well.
upvoted 2 times
...
Melymel
3 years, 7 months ago
it's D. The question is talking about ECS not a VPC
upvoted 1 times
Ghostbusters
3 years, 6 months ago
The reason why D is incorrect is: CloudTrail will not have any such logs. CloudTrail houses logs on API calls, not traffic to a certain port (when you think of traffic, think access logs or flow logs). The reason why C is correct is: (a) VPC Flow Logs is the right log to use here and (b) VPC Flow Logs can be sent to CloudWatch (it can also be sent to S3, but this question tests the knowledge of its integration with CW)
upvoted 21 times
cross
3 years, 6 months ago
your replies are very well formed. thank you.
upvoted 2 times
...
...
...
gfhbox0083
3 years, 7 months ago
C, for sure.
upvoted 1 times
...
xaccan
3 years, 7 months ago
c is correct
upvoted 1 times
...
RaySmith
3 years, 7 months ago
C to me
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago