ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 942 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 942
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company has VPC flow logs enabled for its NAT gateway. The company is seeing Action = ACCEPT for inbound traffic that comes from public IP address
198.51.100.2 destined for a private Amazon EC2 instance.
A solutions architect must determine whether the traffic represents unsolicited inbound connections from the internet. The first two octets of the VPC CIDR block are 203.0.
Which set of steps should the solutions architect take to meet these requirements?

  • A. Open the AWS CloudTrail console. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as "like 203.0" and the source address set as "like 198.51.100.2". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
  • B. Open the Amazon CloudWatch console. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as "like 203.0" and the source address set as "like 198.51.100.2". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
  • C. Open the AWS CloudTrail console. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as "like 198.51.100.2" and the source address set as "like 203.0". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
  • D. Open the Amazon CloudWatch console. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as "like 198.51.100.2" and the source address set as "like 203.0". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by SGES at Sept. 3, 2022, 11:20 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sb333
Highly Voted 2 years, 7 months ago
D The question already states that there was an Action=Accept from Internet inbound to Private IP. The goal is to determine if this was solicited or unsolicited traffic. If solicited, traffic would have been initiated from the Private IP address initially and then received the return traffic. If unsolicited, there would be no initial traffic outbound from Private IP address. So Answer D is what is needed to determine this.
upvoted 21 times
Jesuisleon
1 year, 11 months ago
Good explication
upvoted 1 times
...
...
Cloudxie
Highly Voted 2 years, 7 months ago
Selected Answer: B
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway/
upvoted 17 times
3a632a3
1 year, 3 months ago
Thank you for the link. This explains it perfectly. The answer is actually D because it is assumed that reason #1 is already complete as the questions states that incoming traffic has been confirmed. Now the question is focusing on reason #2 to see if it was solicited meaning that the private ec2 instance initiated the traffic.
upvoted 2 times
3a632a3
1 year, 3 months ago
Apologies you were correct I mixed up the letters. I down vote my mistake.
upvoted 1 times
...
...
...
WhyIronMan
Most Recent 9 months, 3 weeks ago
Selected Answer: B
B https://repost.aws/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway from aws documentation: filter (dstAddr like 'xxx.xxx' and srcAddr like 'public IP') | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr | limit 10 if the query results show traffic ONLY ON the NAT gateway private IP from the public IP, BUT NOT traffic on other private IPs in the VPC, these results confirm that the incoming traffic was unsolicited.
upvoted 1 times
...
SkyZeroZx
1 year, 10 months ago
Selected Answer: B
same question in version 2 https://www.examtopics.com/discussions/amazon/view/95384-exam-aws-certified-solutions-architect-professional-sap-c02/ B is correct
upvoted 1 times
...
Markzz
2 years ago
Flow log data can be published to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose. - A is out.
upvoted 1 times
...
Vash2303
2 years, 3 months ago
Selected Answer: B
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway/
upvoted 1 times
...
ggrodskiy
2 years, 3 months ago
Correct B.
upvoted 1 times
ggrodskiy
1 year, 9 months ago
Changed D. You need to open the Amazon CloudWatch console, select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface, run a query to filter with the destination address set as "like 198.51.100.2" and the source address set as "like 203.0", and run the stats command to filter the sum of bytes transferred by the source address and the destination address.
upvoted 1 times
...
...
moonj
2 years, 4 months ago
Selected Answer: B
should be B Cloudxie posted this link here you can see https://aws.amazon.com/premiumsupport/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway/ filter (dstAddr like 'xxx.xxx' and srcAddr like 'public IP') | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr | limit 10 Query results show traffic on the NAT gateway private IP from the public IP, but not traffic on other private IPs in the VPC. These results confirm that the incoming traffic was unsolicited. However, if you do see traffic on the private instance's IP, then follow the steps under Reason
upvoted 2 times
...
janvandermerwer
2 years, 5 months ago
Selected Answer: D
Cloudtrail isn't used to view VPC flow logs, so that rules out A and C. Traffic is already allowed inbound, so need to see if there is suspicious traffic from the source/internal/private range = 203.0 Source = 203.x Dest = 198.51
upvoted 3 times
...
Jonfernz
2 years, 6 months ago
Selected Answer: D
As a networking guy, D is the obvious answer. You are inspecting the CW log group for the outbound traffic.
upvoted 6 times
...
superuser784
2 years, 6 months ago
Selected Answer: B
B: Cloudxie added the link https://aws.amazon.com/premiumsupport/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway/ D is the case when we want to know if Traffic to the public IP was initiated from a private instance filter (dstAddr like 'public IP' and srcAddr like 'xxx.xxx')
upvoted 4 times
...
tjzsm1
2 years, 6 months ago
Selected Answer: D
D is correct. sb333 explained it very well.
upvoted 3 times
...
sjpd10
2 years, 6 months ago
The question already states "Action=Accept from Internet inbound to Private IP" Option 'D' fulfils that condition.
upvoted 1 times
...
tjzsm1
2 years, 6 months ago
Selected Answer: D
Answer is D
upvoted 2 times
...
AnnT
2 years, 6 months ago
Selected Answer: D
D. - to determine that it 's unsolicited or not.
upvoted 2 times
...
JohnPi
2 years, 6 months ago
Selected Answer: D
traffic to the public IP was initiated from a private instance filter (dstAddr like 'public IP' and srcAddr like 'xxx.xxx') | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr | limit 10
upvoted 3 times
...
dcdcdc3
2 years, 6 months ago
Selected Answer: D
Agree with sb333 we need to observe egress to determine if it was solicited https://aws.amazon.com/premiumsupport/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway/ by Cloudxie says "select appropriate log"
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago