Q: 6
A company has deployed an application in a production VPC in a single AWS account. The application
is popular and is experiencing heavy usage. The company’s security team wants to add additional
security, such as AWS WAF, to the application deployment. However, the application's product
manager is concerned about cost and does not want to approve the change unless the security team
can prove that additional security is necessary.
The security team believes that some of the application's demand might come from users that have
IP addresses that are on a deny list. The security team provides the deny list to a DevOps engineer. If
any of the IP addresses on the deny list access the application, the security team wants to receive
automated notification in near real time so that the security team can document that the application
needs additional security. The DevOps engineer creates a VPC flow log for the production VPC.
Which set of additional steps should the DevOps engineer take to meet these requirements MOST
cost-effectively?
Options
Discussion
Option A. Similar practice questions point to CloudWatch Logs with a metric filter as the fastest and cheapest alerting option for this scenario.
Yeah, makes sense to pick A. CloudWatch metric filters plus SNS is about as cost-efficient and quick as it gets for alerting on VPC flow logs. The other options have way more moving parts. If someone found a cheaper way, let me know!
Option A Metric filters in CloudWatch are super cheap and the alerts are basically instant. I think that's why A makes sense here for cost and speed.
Probably A since CloudWatch metric filters plus SNS alerts are both quick and low-cost. B and C involve Athena or OpenSearch, which adds unnecessary complexity and more charges. Trap is going for analytics instead of direct alerting. Open if someone disagrees, but that's how I see it.
A tbh, CloudWatch metric filters plus alarms are the cheapest and fastest way to hit that "near real-time" alert requirement. Athena/OpenSearch add more cost and lag. Pretty sure that's the best fit for what they're asking here, but open to other ideas.
A
A . Metric filters in CloudWatch let you scan for specific IPs and alert fast with minimal setup, especially for accepted traffic. Cost is low since you avoid S3, Athena or OpenSearch overhead. If they needed all traffic or longer retention, maybe a different answer, but here A is the clear win imo.
A. not D. CloudWatch metric filters are a common exam answer here since they're cheaper and near real-time. D looks tempting but it's more costly and adds extra moving parts. Pretty sure A is the best fit unless I've missed something.
A , everything with Athena or OpenSearch (like B and C) costs more and adds delay. Pretty sure the CloudWatch metric filter in A is the AWS go-to for fast, cheap alerts here. If I'm missing something subtle let me know.
A CloudWatch metric filters are built for this kind of alerting and don't hit the costs or lag you'd get with S3 plus Athena or OpenSearch. It's super common for security teams to wire up VPC flow logs to CloudWatch, set up a filter, and trigger SNS right away. Pretty sure that's what AWS best practices suggest here. If anyone has tried B and found it cheaper, let me know!
Be respectful. No spam.
