Question 16
Domain 3: Infrastructure SecurityAn organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected. How can the Application team's requirements be met?
Correct answer: A
Explanation
VPC Flow Logs provide the required network telemetry because AWS lists them as a security telemetry source and a logging capability: “VPC Flow Logs” and “read relevant log sources.” Sending them to S3 enables durable storage, and Athena is a listed log analysis tool for “analyz[ing] captured logs.” This lets the team verify whether security groups and network ACLs are allowing or denying traffic as expected.
Why each option is right or wrong
A. Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
VPC Flow Logs are the AWS-native telemetry for VPC traffic and are explicitly used to observe accepted and rejected network flows, which is what you need to validate security group and network ACL behavior. Per the VPC Flow Logs feature, logs can be delivered to Amazon S3, and Amazon Athena can query those S3 objects directly; Athena is billed at $5 per TB of data scanned, so it is a practical way to inspect thousands of instances’ traffic without deploying agents or packet capture on each host.
B. Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.
Amazon Inspector scans EC2 vulnerabilities; it does not provide network traffic logs for ACL or security group validation.
C. Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
AWS Config tracks configuration state and compliance, not packet-level traffic decisions through security groups or network ACLs.
D. Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.
AWS CloudTrail records AWS API activity, not VPC network traffic flowing through security groups and network ACLs.