What should the DevOps engineer do to meet these requirements?

By:
On:
In: DOP-C01
Tagged:
With: 0 Comments
A company’s DevOps engineer is working in a multi-account environment.The company uses AWS Transit Gateway to route all outbound traffic through a network operations account.In the network operations account, all account traffic passes through a firewall appliance for inspection before the traffic goes to an internet gateway.The firewall appliance sends logs to Amazon CloudWatch Logs and includes event severities of CRITICAL, HIGH, MEDIUM, LOW, and INFO.The security team wants to receive an alert if any CRITICAL events occur.

What should the DevOps engineer do to meet these requirements?

Create an Amazon CloudWatch Synthetics canary to monitor the firewall state. If the firewall reaches a CRITICAL state or logs a CRITICAL event, use a CloudWatch alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to the topic.

Create an Amazon CloudWatch mettic filter by using a search for CRITICAL events. Publish a custom metric for the finding. Use a CloudWatch alarm based on the custom metric to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to the topic.

Enable Amazon GuardDuty in the network operations account. Configure GuardDuty to monitor flow logs. Create an Amazon EventBridge (Amazon CloudWatch Events) event rule that is invoked by GuardDuty events that are CRITICAL. Define an Amazon Simple Notification Service (Amazon SNS) topic as a target. Subscribe the security team’s email address to the topic.

Use AWS Firewall Manager to apply consistent policies across all accounts. Create an Amazon EventBridge (Amazon CloudWatch Events) event rule that is invoked by Firewall Manager events that are CRITICAL. Define an Amazon Simple Notification Service (Amazon SNS) topic as a target. Subscribe the security team’s email address to the topic.

Explanations:

CloudWatch Synthetics canary is used for monitoring endpoints and application availability, not for analyzing specific log events. It would not capture CRITICAL logs directly.

Creating a CloudWatch metric filter to search for CRITICAL events and triggering a custom metric is the correct approach. A CloudWatch alarm can then notify via SNS.

GuardDuty is primarily for threat detection based on VPC flow logs and other data sources, but it doesn’t specifically inspect firewall logs for CRITICAL events.

AWS Firewall Manager is used for managing security policies across accounts, but it does not directly handle CRITICAL event detection from firewall appliances’ logs.

Leave a Reply

Your email address will not be published. Required fields are marked *

sixteen − 3 =