ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 335 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 335
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company has set up Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers.

A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers. The logs must show details of the source IP address of the instance from which the query originated. The logs also must show the DNS name that was requested in Route 53 Resolver.

Which solution will meet these requirements?

  • A. Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the traffic source, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as the mirror target. Use CloudWatch Insights on the mirror session logs to run queries on the source IP address and DNS name.
  • B. Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
  • C. Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IP address and DNS name.
  • D. Modify the Route 53 Resolver rules on the authoritative domains that forward to the on-premises DNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by AdamWest at Nov. 20, 2022, 7:09 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
amcloud
Highly Voted 2 years, 5 months ago
Selected Answer: C
Is C - https://aws.amazon.com/es/blogs/aws/log-your-vpc-dns-queries-with-route-53-resolver-query-logs/
upvoted 6 times
...
Toptip
Most Recent 1 year, 11 months ago
Selected Answer: C
C - Route 53 Resolver query logging can log Outbound R53 Resolver
upvoted 1 times
...
ITGURU51
2 years ago
The solution that will meet these requirements is to configure Route 53 Resolver query logging on all relevant VPCs. C
upvoted 1 times
...
[Removed]
2 years, 1 month ago
Selected Answer: C
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html
upvoted 3 times
...
yew2
2 years, 4 months ago
Why isn't it D?
upvoted 1 times
Smartphone
2 years, 3 months ago
When you create or edit an outbound endpoint, you specify the following values: Endpoint name VPC in the region-name Region Security group IP addresses Tags Just by modifying the forwarding rule we can not forward the log to S3. Further, the option D does not talk about logging the DNS query. So, A is the reasonable Answer
upvoted 1 times
Smartphone
2 years, 3 months ago
Please see the question no. 10 and its explanation of the official AWS document https://d1.awsstatic.com/training-and-certification/docs-advnetworking-spec/AWS-Certified-Advanced-Networking-Specialty_Sample-Questions.pdf
upvoted 1 times
...
...
...
Subs2021
2 years, 4 months ago
Selected Answer: C
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html
upvoted 1 times
...
Kevin24
2 years, 4 months ago
Selected Answer: C
The correct answer is to configure Amazon Route 53 Resolver query logging for all the VPCs. The query logs can be stored in Amazon CloudWatch Logs and can be analyzed with CloudWatch Logs Insights. The other answer options will fail to capture the needed DNS queries.
upvoted 3 times
...
AdamWest
2 years, 5 months ago
Selected Answer: D
D - Is the Answer.
upvoted 1 times
...
D2
2 years, 5 months ago
Selected Answer: D
Answer D
upvoted 1 times
...
Shriraj32
2 years, 5 months ago
Selected Answer: D
I agree with D.
upvoted 1 times
...
AdamWest
2 years, 5 months ago
Selected Answer: C
C -- https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html
upvoted 1 times
D2
2 years, 5 months ago
This seems to be a typo
upvoted 1 times
...
AdamWest
2 years, 5 months ago
Wrong Question answer - This Question Answer: D
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago