Monitoring Traffic on a Bastion Host for SSH Attempts | AWS Security Specialty Exam Answer

Detecting Excessive SSH Connection Attempts on a Bastion Host | AWS Security Specialty Exam Solution

Question

A company wants to monitor all traffic passing through a network interface on its bastion host.

They wish to be alerted if there are more than 10 attempts to connect to the host via SSH within a one-hour time interval.

What solution can the company employ to meet this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because CloudTrail is not a supported destination for VPC flow logs.

Option B is CORRECT because VPC flow logs can be sent to CloudWatch Logs.A CloudWatch metric filter and alarm can be configured to send notifications when the specified criteria are satisfied.

Option C is incorrect because Amazon Inspector is used to perform vulnerabilities assessment and cannot be used to inspect network traffic using VPC flow logs.

Option D is incorrect because it is not suitable to use a Lambda function to mount EBS volumes.

It does not help to check the network traffic.

Reference:

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-cwl-create-flow-log

The requirement of the company is to monitor all traffic passing through a network interface on its bastion host and be alerted if there are more than 10 attempts to connect to the host via SSH within a one-hour time interval. In order to meet this requirement, there are different solutions available. Let's take a look at each answer choice in detail:

Answer A: This solution suggests creating a VPC flow log for the network interface and then creating a Lambda function that queries the CloudTrail logs for SSH login attempts. The Lambda function is triggered every 5 minutes with a scheduled CloudWatch event.

Explanation: VPC flow logs capture information about the IP traffic going to and from network interfaces in a VPC. This includes SSH login attempts to the bastion host. CloudTrail logs provide a record of actions taken by a user, role, or an AWS service in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. By querying the CloudTrail logs for SSH login attempts, the Lambda function can determine if there have been more than 10 attempts to connect to the host via SSH within a one-hour time interval. A scheduled CloudWatch event is used to trigger the Lambda function every 5 minutes to ensure timely alerts.

Answer B: This solution suggests configuring a VPC flow log with CloudWatch Logs as the destination. Then, creating a CloudWatch metric filter for destination port 22 and creating a CloudWatch Alarm trigger.

Explanation: By configuring a VPC flow log with CloudWatch Logs as the destination, the traffic passing through the network interface on the bastion host is logged to CloudWatch Logs. A metric filter can be created to extract the SSH login attempts from the logs based on destination port 22. A CloudWatch Alarm can be triggered when the number of SSH login attempts exceeds 10 within a one-hour time interval.

Answer C: This solution suggests installing the Amazon Inspector agent on the bastion host and configuring CloudWatch alerts based on Amazon Inspector findings.

Explanation: Amazon Inspector is an AWS service that assesses the security and compliance of applications deployed on AWS. The Amazon Inspector agent can be installed on the bastion host to gather information about the security state of the host. CloudWatch alerts can be configured based on the Amazon Inspector findings to trigger an alert when there are more than 10 SSH login attempts within a one-hour time interval.

Answer D: This solution suggests creating a Lambda function that mounts the bastion host EBS volume and sends logs to CloudWatch logs. Then, creating a CloudWatch metric filter for destination port 22 and creating a CloudWatch Alarm trigger.

Explanation: By creating a Lambda function that mounts the bastion host EBS volume and sends logs to CloudWatch logs, the traffic passing through the network interface on the bastion host is logged to CloudWatch Logs. A metric filter can be created to extract the SSH login attempts from the logs based on destination port 22. A CloudWatch Alarm can be triggered when the number of SSH login attempts exceeds 10 within a one-hour time interval.

In conclusion, the most appropriate solution to meet the requirement of the company would be answer choice B. By configuring a VPC flow log with CloudWatch Logs as the destination, the traffic passing through the network interface on the bastion host is logged to CloudWatch Logs. A metric filter can be created to extract the SSH login attempts from the logs based on destination port 22. A CloudWatch Alarm can be triggered when the number of SSH login attempts exceeds 10 within a one-hour time interval.