ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 162 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 162
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A company has deployed an application in a production VPC in a single AWS account. The application is popular and is experiencing heavy usage. The company's security team wants to add additional security, such as AWS WAF, to the application deployment. However, the application's product manager is concerned about cost and does not want to approve the change unless the security team can prove that additional security is necessary.

The security team believes that some of the application's demand might come from users that have IP addresses that are on a deny list. The security team provides the deny list to a DevOps engineer. If any of the IP addresses on the deny list access the application, the security team wants to receive automated notification in near real time so that the security team can document that the application needs additional security. The DevOps engineer creates a VPC flow log for the production VPC.

Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?

  • A. Create a log group in Amazon CloudWatch Logs. Configure the VPC flow log to capture accepted traffic and to send the data to the log group. Create an Amazon CloudWatch metric filter for IP addresses on the deny list. Create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.
  • B. Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture all traffic and to send the data to the S3 bucket. Configure Amazon Athena to return all log files in the S3 bucket for IP addresses on the deny list. Configure Amazon QuickSight to accept data from Athena and to publish the data as a dashboard that the security team can access. Create a threshold alert of 1 for successful access. Configure the alert to automatically notify the security team as frequently as possible when the alert threshold is met.
  • C. Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture accepted traffic and to send the data to the S3 bucket. Configure an Amazon OpenSearch Service duster and domain for the log files. Create an AWS Lambda function to retrieve the logs from the S3 bucket, format the logs, and load the logs into the OpenSearch Service cluster. Schedule the Lambda function to run every 5 minutes. Configure an alert and condition in OpenSearch Service to send alerts to the security team through an Amazon Simple Notification Service (Amazon SNS) topic when access from the IP addresses on the deny list is detected.
  • D. Create a log group in Amazon CloudWatch Logs. Create an Amazon S3 bucket to hold query results. Configure the VPC flow log to capture all traffic and to send the data to the log group. Deploy an Amazon Athena CloudWatch connector in AWS Lambda. Connect the connector to the log group. Configure Athena to periodically query for all accepted traffic from the IP addresses on the deny list and to store the results in the S3 bucket. Configure an S3 event notification to automatically notify the security team through an Amazon Simple Notification Service (Amazon SNS) topic when new objects are added to the S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Oleg_gol at Jan. 15, 2023, 2:52 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Dgix
1 year, 6 months ago
A. All other alternatives are not cost-efficient, which is the most important factor here.
upvoted 1 times
...
BlissfulCheetah
1 year, 8 months ago
Selected Answer: B
As much as keeping costs low is a priority, near real time notifications is also important. B seems to get the balance. A, C and D talk about "5 minutes" or periodic checks (far from real time)
upvoted 1 times
...
asfsdfsdf
2 years, 1 month ago
Selected Answer: A
B - wrong - no need to capture all logs only incoming also no need to use quicksight C - wrong - no need to use openseach cluster - very expensive D - no need to capture all traffic + expensive why to use lambda to scan log groups if we can use it on a bucket? A - the only correct answer incoming traffic will be will be captured to a log group, metric filter will be set and an alarm will be triggered based on it + SNS.
upvoted 2 times
...
bgc1
2 years, 2 months ago
Selected Answer: A
A - Simple, near real time (5 mins) and cheapest of all 4 options
upvoted 1 times
...
Piccaso
2 years, 2 months ago
Selected Answer: B
A and C are eliminated, because "5 minutes" are not near real time. Between B and D, B is cheaper, because D configures Anthena to periodically query.
upvoted 1 times
...
Bulti
2 years, 3 months ago
A is the right answer.
upvoted 3 times
...
Christina666
2 years, 3 months ago
Selected Answer: A
most cost-effectively, so I choose A
upvoted 3 times
...
saeidp
2 years, 3 months ago
Selected Answer: A
A for me
upvoted 2 times
...
Dimidrol
2 years, 3 months ago
Selected Answer: A
A sure
upvoted 2 times
...
Oleg_gol
2 years, 3 months ago
Selected Answer: A
i think A
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago