Which set of additional steps should the DevOps engineer take to meet these requirements MOST cost-effectively?
Create a log group in Amazon CloudWatch Logs. Configure the VPC flow log to capture accepted traffic and to send the data to the log group. Create an Amazon CloudWatch metric filter for IP addresses on the deny list. Create a CloudWatch alarm with the metric filter as input. Set the period to 5 minutes and the datapoints to alarm to 1. Use an Amazon Simple Notification Service (Amazon SNS) topic to send alarm notices to the security team.
Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture all traffic and to send the data to the S3 bucket. Configure Amazon Athena to return all log files in the S3 bucket for IP addresses on the deny list. Configure Amazon QuickSight to accept data from Athena and to publish the data as a dashboard that the security team can access. Create a threshold alert of 1 for successful access. Configure the alert to automatically notify the security team as frequently as possible when the alert threshold is met.
Create an Amazon S3 bucket for log files. Configure the VPC flow log to capture accepted traffic and to send the data to the S3 bucket. Configure an Amazon OpenSearch Service duster and domain for the log files. Create an AWS Lambda function to retrieve the logs from the S3 bucket, format the logs, and load the logs into the OpenSearch Service cluster. Schedule the Lambda function to run every 5 minutes. Configure an alert and condition in OpenSearch Service to send alerts to the security team through an Amazon Simple Notification Service (Amazon SNS) topic when access from the IP addresses on the deny list is detected.
Create a log group in Amazon CloudWatch Logs. Create an Amazon S3 bucket to hold query results. Configure the VPC flow log to capture all traffic and to send the data to the log group. Deploy an Amazon Athena CloudWatch connector in AWS Lambda. Connect the connector to the log group. Configure Athena to periodically query for all accepted traffic from the IP addresses on the deny list and to store the results in the S3 bucket. Configure an S3 event notification to automatically notify the security team through an Amazon Simple Notification Service (Amazon SNS) topic when new objects are added to the S3 bucket.
Explanations:
This option uses Amazon CloudWatch Logs to capture accepted traffic, filters IP addresses on the deny list, and uses a CloudWatch alarm to notify the security team via SNS. It meets the requirements for near-real-time notification and is cost-effective by leveraging CloudWatch, which can process VPC flow logs with minimal setup.
While Amazon S3 and Athena can be used for querying logs, this method introduces unnecessary complexity and cost. Athena requires querying large volumes of data stored in S3 and QuickSight adds additional cost for dashboard creation. Additionally, the real-time notification requirement is not met as Athena queries would not be near-real-time.
This solution involves setting up OpenSearch Service, Lambda functions, and S3, which adds complexity and cost. The OpenSearch Service and Lambda scheduling do not offer as efficient or cost-effective a solution for near-real-time alerts as CloudWatch logs and alarms.
This option uses a complex setup with Athena, S3, and Lambda, which adds unnecessary overhead and cost. The real-time alerting requirement is not met effectively since Athena’s query-based approach is slower and less immediate than CloudWatch alarms.