What should the DevOps engineer do to meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company’s DevOps engineer is working in a multi-account environment.The company uses AWS Transit Gateway to route all outbound traffic through a network operations account.In the network operations account, all account traffic passes through a firewall appliance for inspection before the traffic goes to an internet gateway.The firewall appliance sends logs to Amazon CloudWatch Logs and includes event severities of CRITICAL, HIGH, MEDIUM, LOW, and INFO.The security team wants to receive an alert if any CRITICAL events occur.

What should the DevOps engineer do to meet these requirements?

Create an Amazon CloudWatch Synthetics canary to monitor the firewall state. If the firewall reaches a CRITICAL state or logs a CRITICAL event, use a CloudWatch alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to the topic.

Create an Amazon CloudWatch metric filter by using a search for CRITICAL events. Publish a custom metric for the finding. Use a CloudWatch alarm based on the custom metric to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to the topic.

Enable Amazon GuardDuty in the network operations account. Configure GuardDuty to monitor flow logs. Create an Amazon EventBridge event rule that is invoked by GuardDuty events that are CRITICAL. Define an Amazon Simple Notification Service (Amazon SNS) topic as a target. Subscribe the security team’s email address to the topic.

Use AWS Firewall Manager to apply consistent policies across all accounts. Create an Amazon EventBridge event rule that is invoked by Firewall Manager events that are CRITICAL. Define an Amazon Simple Notification Service (Amazon SNS) topic as a target. Subscribe the security team’s email address to the topic.

Explanations:

Amazon CloudWatch Synthetics is used for monitoring application availability, not for inspecting firewall logs or event severities. This option does not meet the requirement of alerting on CRITICAL events in firewall logs.

Creating a CloudWatch metric filter to detect CRITICAL events in the firewall logs and using a CloudWatch alarm to trigger a notification via SNS is the correct solution to alert the security team on CRITICAL events.

Amazon GuardDuty is a threat detection service, not specifically for firewall log inspection. It monitors VPC flow logs and other sources but does not directly handle CloudWatch logs from a firewall appliance.

AWS Firewall Manager is used for managing firewall policies across accounts, not for creating alarms based on specific event log severities like CRITICAL. This option doesn’t address the need to alert on CRITICAL firewall log events.

2025-10-17

1 Comment

  1. William
    Author

    From my point of view, the answer is:
    Create an Amazon CloudWatch metric filter by using a search for CRITICAL events. Publish a custom metric for the finding. Use a CloudWatch alarm based on the custom metric to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email address to the topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen + fourteen =