Question #619
A company has VPC flow logs enabled for its NAT gateway. The company is observing Action = ACCEPT for inbound traffic originating from public IP address 203.0.100.5 destined for a private Amazon EC2 instance. A solutions architect needs to determine if this traffic represents unsolicited inbound connections from the internet. The first two octets of the VPC CIDR block are 192.168. Which set of steps should the solutions architect take to meet these requirements?
Open the AWS CloudTrail console. Select the log group containing the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as \"like 192.168\" and the source address set as \"like 203.0.100.5\". Run the stats command to filter the sum of bytes transferred by the source and destination addresses.
Open the Amazon CloudWatch console. Select the log group containing the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as \"like 192.168\" and the source address set as \"like 203.0.100.5\". Run the stats command to filter the sum of bytes transferred by the source and destination addresses.
Open the AWS CloudTrail console. Select the log group containing the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as \"like 203.0.100.5\" and the source address set as \"like 192.168\". Run the stats command to filter the sum of bytes transferred by the source and destination addresses.
Open the Amazon CloudWatch console. Select the log group containing the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as \"like 203.0.100.5\" and the source address set as \"like 192.168\". Run the stats command to filter the sum of bytes transferred by the source and destination addresses.
Explanation
Answer B is correct because:
1. VPC Flow Logs are stored in CloudWatch: Flow logs capture network traffic metadata and are sent to CloudWatch Logs, making CloudWatch the correct console (eliminating A and C).
2. Filtering Criteria: The inbound traffic originates from the public IP (203.0.100.5) and targets the private EC2 instance (192.168.x.x). The query filters srcaddr=203.0.100.5 and dstaddr=192.168 to isolate unsolicited traffic.
3. Incorrect Options:
- A/C use CloudTrail, which logs API activity, not network traffic.
- D reverses source/destination, focusing on outbound traffic.
Key Points:
- Use CloudWatch for VPC Flow Logs.
- Filter by source (public IP) and destination (private CIDR) to identify unsolicited inbound traffic.
- NAT gateway flow logs show ACCEPT for both legitimate and unsolicited traffic; analysis requires proper filtering.
Answer
The correct answer is: B