Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?
Create a log group in Amazon CloudWatch Logs. Configure the VPC flow log to capture accepted traffic and to send the data to the log group. Create an Amazon CloudWatch metric filter for IP addresses on the deny list. Create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.
Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture all traffic and to send the data to the S3 bucket. Configure Amazon Athena to return all log files in the S3 bucket for IP addresses on the deny list. Configure Amazon QuickSight to accept data from Athena and to publish the data as a dashboard that the security team can access. Create a threshold alert of 1 for successful access. Configure the alert to automatically notify the security team as frequently as possible when the alert threshold is met.
Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture accepted traffic and to send the data to the S3 bucket. Configure an Amazon OpenSearch Service cluster and domain for the log files. Create an AWS Lambda function to retrieve the logs from the S3 bucket, format the logs, and load the logs into the OpenSearch Service cluster. Schedule the Lambda function to run every 5 minutes. Configure an alert and condition in OpenSearch Service to send alerts to the security team through an Amazon Simple Notification Service (Amazon SNS) topic when access from the IP addresses on the deny list is detected.
Create a log group in Amazon CloudWatch Logs. Create an Amazon S3 bucket to hold query results. Configure the VPC flow log to capture all traffic and to send the data to the log group. Deploy an Amazon Athena CloudWatch connector in AWS Lambda. Connect the connector to the log group. Configure Athena to periodically query for all accepted traffic from the IP addresses on the deny list and to store the results in the S3 bucket. Configure an S3 event notification to automatically notify the security team through an Amazon Simple Notification Service (Amazon SNS) topic when new objects are added to the S3 bucket.
Explanations:
Option A is the most cost-effective solution. By creating a CloudWatch log group, using a metric filter to track deny-listed IPs, and triggering an alarm with an SNS notification, it efficiently alerts the security team when needed. The 5-minute period and 1 datapoint threshold minimize unnecessary alerts while maintaining near real-time notifications.
Option B is not the most cost-effective. It involves using S3, Athena, and QuickSight for querying and visualizing data, which incurs higher costs due to the use of Athena and QuickSight for dashboard creation. It’s a more complex solution for simply notifying the security team.
Option C involves S3, OpenSearch, and Lambda, adding significant complexity and cost. The Lambda function for periodic log retrieval and OpenSearch configuration is unnecessary when CloudWatch can handle the alerting efficiently.
Option D is not optimal because it involves unnecessary complexity, including CloudWatch Logs, Athena, Lambda, and S3 event notifications. The combination of services results in higher costs and is not as simple or cost-efficient as using CloudWatch with metric filters and alarms.
From my perspective, the answer is:
Create a log group in Amazon CloudWatch Logs. Configure the VPC flow log to capture accepted traffic and to send the data to the log group. Create an Amazon CloudWatch metric filter for IP addresses on the deny list. Create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.