Amazon Exam ANS-C00 Topic 19 Question 19 Discussion

Actual exam question for Amazon's ANS-C00 exam

Question #: 19
Topic #: 19

A company's IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint.

What is the MOST cost-effective solution that meets these requirements?

AAdd allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL. Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the Security team.

BEnable Amazon GuardDuty on the account and the specific region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the Security team.

CAdd allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notify the Security team.

DEnable Amazon GuardDuty on the account and specific region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm from GuardDuty.

Show Suggested Answer

Suggested Answer: C

by Youlanda at May 08, 2022, 03:04 AM

Limited Time Offer

25%

Off

Get Premium ANS-C00 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!