ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 100 discussion

Exam question from Amazon's ANS-C00
Question #: 100
Topic #: 1
[All ANS-C00 Questions]

A company's IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint.
What is the MOST cost-effective solution that meets these requirements?

  • A. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL. Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the security team.
  • B. Enable Amazon GuardDuty on the account and the specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the security team.
  • C. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notify the security team.
  • D. Enable Amazon GuardDuty on the account and specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm from GuardDuty.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by exmjame at May 13, 2020, 8:10 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
exmjame
Highly Voted 3 years, 8 months ago
Both A, C will do the job. C is cost effective as it is capturing only REJECT VPC flow logs; whereas A is capturing ALL logs.
upvoted 25 times
...
walkwolf3
Highly Voted 3 years, 7 months ago
C The answer is between A and C, the outcome of both options are the same, the only difference is cost. The are 3 costs here. The first cost is happening when flow log collects/filters and delivers to Cloudwatch. First 10TB is $0.50 per GB. The second and third costs are happening when CloudWatch ingests and analyzes logs data. Collect (Data Ingestion) $0.50 per GB Analyze (Logs Insights queries) $0.005 per GB of data scanned Let's assuming we have 200GB raw flow logs including 100GB for ACCEPT and 100GB for REJECT. For option A, the price is 200*0.5+200*0.5+100*0.005 = $200.5 For option C, the price is 100*0.5+100*0.5 = $100 The cost for option C is lower than A, so the answer is C. https://aws.amazon.com/cloudwatch/pricing/
upvoted 15 times
sapien45
3 years, 3 months ago
Best response ever. It is C
upvoted 1 times
...
...
krzyhoo
Most Recent 2 years, 5 months ago
Selected Answer: C
A & C is proper solution but filtering for REJECT will reduce costs. So C is proper answer
upvoted 1 times
...
Marty2021
2 years, 11 months ago
Selected Answer: C
As walkwolf3 mentioned A and C are possible but C is more cost efficent.
upvoted 1 times
...
Jazz888
3 years, 3 months ago
I will go for A reason - Is it possible to "Set an Amazon CloudWatch Logs filter for the log group on every event" - Log filter has to match something I think...
upvoted 1 times
...
Karthic
3 years, 6 months ago
B should be possible solution for me...
upvoted 1 times
...
Justu
3 years, 7 months ago
C is the best and most cost efficient option. Option B is not good as guardduty reports all findings, not only network connection openings for non trusted hosts.
upvoted 3 times
...
Kafin
3 years, 8 months ago
B for me, C will not be adequate since question asks for "servers within an Amazon VPC"
upvoted 1 times
Kentik
3 years, 7 months ago
you can do VPC Flow log at the VPC level and also Guard Duty i believe is more expensive then VPC Flow Logs.
upvoted 1 times
...
...
inf
3 years, 8 months ago
Answer: C A and C amount to the same result. However CloudWatch vended ingestion has a price. Therefore, send only necessary data to CloudWatch. i.e. filter at the source to reduce volume - deliver the filtered results to CloudWatch
upvoted 4 times
...
SilverT
3 years, 8 months ago
Ans C Security team only wants to be notified if server tries to open connection to non-approved IP.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel