Amazon AWS Certified Advanced Networking - Specialty Exam: Answer

Security and Compliance for EC2 Instances in VPC

Prev Question Next Question

Question

You have a set of EC2 Instances that are deployed in a VPC.

An important application is hosted on these instances and it is essential to keep the application secure.

There are some security issues that keep on recurring in the application and you need to build a system that can inspect the network packets, detect malicious activity, and discover policy violations on the application.

Which of the following can help you to achieve this?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

Here you will need a custom Intrusion Detection system to detect malicious activities and policy violations.

Options A, C and D are incorrect since these solutions cannot provide the required monitoring or detection.

For more information on IDS, please refer to the below URL.

https://aws.amazon.com/mp/scenarios/security/ids/

To detect malicious activity and policy violations in the network traffic of EC2 instances running an important application in a VPC, an Intrusion Detection System (IDS) can be used. Therefore, option B is the correct answer to this question.

An IDS is a security tool that inspects network traffic in real-time, detects malicious activity, and alerts the security team. It can analyze the traffic for known patterns of attacks and can also identify unknown attacks by comparing network behavior with predefined rules.

Option A, using VPC Flow logs, is a feature of Amazon VPC that captures information about the IP traffic going to and from network interfaces in the VPC. While VPC flow logs can provide visibility into network traffic, they do not provide real-time analysis of the traffic, nor do they provide the capability to detect malicious activity.

Option C, using CloudTrail, is a service that provides governance, compliance, operational auditing, and risk auditing of AWS account activity. CloudTrail logs events related to AWS resources, including EC2 instances, but it does not provide the capability to inspect network traffic and detect malicious activity.

Option D, using CloudWatch Logs, is a service that provides centralized log management and monitoring for applications and infrastructure. CloudWatch Logs can capture log data from EC2 instances, but it does not provide the capability to inspect network traffic and detect malicious activity.

In summary, an IDS is the best tool to use in this scenario for detecting malicious activity and policy violations in the network traffic of EC2 instances running an important application in a VPC.