A company's IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint. What is the MOST cost-effective solution that meets these requirements?
A) Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL. Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the Security team.
B) Enable Amazon GuardDuty on the account and the specific region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the Security team.
C) Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notify the Security team.
D) Enable Amazon GuardDuty on the account and specific region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm from GuardDuty.

Question

Quizplus · Accepted Answer

Using network ACLs to restrict traffic to the approved IPs and enabling VPC Flow Logs with a filter set to ALL allows monitoring of all traffic. Creating a CloudWatch Logs filter for REJECT events and setting up an alarm provides notifications for any non-approved connection attempts, making it a cost-effective solution.

A Company's IT Security Team Needs to Ensure That All