AWS Certified Advanced Networking - Specialty Exam: Solution for Secure Payment Application SSH Monitoring | Provider: Amazon

Secure Payment Application SSH Monitoring

Prev Question Next Question

Question

A secure payment application is deployed on the EC2 instance in VPC.

This application server is accessed by the internal team & vendors for uploading security patches.

You have a security group policy that allows only SSH to this application from all IP subnets.

The Security Team needs to get notified when more than Fifty SSH login attempts were recorded from unknown IP addresses in an hour.

Which of the following solution can be deployed with the least cost to meet this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

Flow Logs can be published to CloudWatch logs to set alarms for specific notifications.

There are charges involved when flow log data is saved in either S3 buckets or published to CloudWatch.

So, in order to have a cost-effective solution, you can enable Flow logs only on a specific instance interface & published them to CloudWatch.

Options A & B are incorrect as this is not an effective way to store data in the S3 bucket & again publish it to CloudWatch.

Instead of that, direct flow logs can be published to CloudWatch & an alarm can be set to notify Security Team.

Option C is incorrect as although this will work in capturing failed SSH login attempts to the Server network interface, these flow logs will capture logs for all interface & subnets within that VPC.

When a large amount of data is published to CloudWatch logs, this will incur additional charges.

For more information on using Flow Logs, refer to the following URL.

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-cwl-create-flow-log

The requirement is to notify the Security Team when more than fifty SSH login attempts from unknown IP addresses are recorded on the EC2 instance running a secure payment application. The solution should be the least expensive.

To meet this requirement, the best solution would be to create VPC flow logs, which are used to capture and log IP traffic to and from the network interfaces of the EC2 instances within the VPC. VPC flow logs capture metadata about IP traffic such as source and destination IP addresses, ports, and protocols.

Next, export these VPC flow logs either to Amazon S3 bucket or CloudWatch Logs. Both options provide different benefits; however, the solution should be the least expensive, so we can consider which option is the most cost-effective.

Option A suggests exporting the VPC flow logs to an Amazon S3 bucket with lifecycle management policies, which can automatically move logs to Amazon Glacier for long-term storage, providing cost savings. Then, create a CloudWatch alarm for this bucket to monitor the number of failed SSH login attempts from unknown IP addresses.

Option B suggests creating VPC flow logs for the VPC in which the server instance is launched, exporting the flow logs to an Amazon S3 bucket with lifecycle management policies, and creating a CloudWatch alarm to monitor the number of failed SSH login attempts from unknown IP addresses.

Option C suggests exporting the VPC flow logs to CloudWatch Logs instead of an Amazon S3 bucket, creating a CloudWatch metric, and triggering an alarm to notify the Security Team.

Option D suggests exporting VPC flow logs to CloudWatch Logs, creating a CloudWatch metric, and triggering an alarm to notify the Security Team.

The solution with the least cost is Option C, which exports the VPC flow logs directly to CloudWatch Logs. Amazon S3 is a durable and highly available object storage service but is more expensive than CloudWatch Logs. By exporting logs to CloudWatch Logs, we can avoid the additional cost of storing logs in an S3 bucket.

Therefore, the best solution is to create VPC flow logs for the VPC in which the server instance is launched, export the flow logs to CloudWatch Logs, create a CloudWatch metric, and trigger an alarm to notify the Security Team when the number of failed SSH login attempts exceeds the threshold.