You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.
Which two AWS Services cloud you leverage to build an automated notification system? (Choose two.)
To build an automated notification system for detecting external port scans on your application within a three-tier web architecture, you should use VPC Flow Logs and AWS Lambda. VPC Flow Logs can capture detailed information about IP traffic reaching your network interfaces, including any suspicious port scan activities. AWS Lambda can then be used to automate the detection and notification process by analyzing the flow log data and triggering alerts to the security team when a port scan is identified. AWS CloudTrail, while useful for auditing AWS account activity, does not directly detect port scans. Similarly, AWS Inspector focuses on vulnerability assessments rather than real-time monitoring for port scans, and an Internet gateway is not relevant for such monitoring tasks.
It should be B,D. VPC Flow Logs and Lambda.
definitely https://www.sumologic.com/insight/use-aws-vpc-flow-logs/
Completely useless answer, A third party tool is not an option. AWS Flow Glogs would be the best tool for port scnanning analysis Lambda for automation and scheduling B and D
No it should be D and E. Inspector for port scan results and lambda to triger notification when any finding comes.
A: incorrect, obviously IGW has nothing to do on security assessment B: correct, Flowlogs will show all traffic up to L4, good to detect any port scanning C: incorrect, Cloudtrails is triggered only when an API is called which is not the case for port scanning D: correct, Lambda will be triggered when a port scanning is detected from flow logs E: incorrect, inspector is a proactive vulnerability scanner for port vulnerabilities but do not detect a potential port scanning
Inspector tells you if there is a port vulnerability i.e. exposed port .It can not tell if there was an attempt to do port scan . That rules out Amazon Inspector Option.
Agreed, best alternative would be flow logs whose job is to acutally log accessed ports
B and D are correct. Refer to the following link: https://www.sumologic.com/insight/use-aws-vpc-flow-logs/ One of the VPC Flow Logs values is the ability to detect and block vulnerability scans against their network by checking for ping sweeps, port scans and other malicious activity associated with attempts to discover weaknesses in the network. Once the sources of such scans are identified, security admins can block them from further access in order to prevent intrusions. In addition, to protect your AWS platform from being port scanned by external systems, you can use AWS Lambda scripts to run periodically.
D and E Please check this: https://aws.amazon.com/es/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/
Everyone agreed that Answer: D is one of the correct answer. So, let's leave this. Option:B VPC Flow Logs (This is reactive method. i.e. If someone scanned, then you will get the details in VPC flow logs and you can write custom lambda and do action). This will work for sure. https://blog.runpanther.io/aws-security-logging-vpc-flow-logs/ Option:E AWS Inspector (Pro-active method. This also work. Inspector analyzing the VPC SG, NACL and etc., configuration and will tell you the security issues proactively. I will definitely use this). https://aws.amazon.com/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/ So, after reading the question, they were asking 'Alert if someone scanned', so my answer would be "VPC Flow logs" (From exam point of view).
I will go with B and D. The destination/infrastructure port scanned by port scanner will be logged by the VPC Flow logs. For example, that our infrastructure does not use Telnet (port 23). We want to be alerted when traffic is directed at this port as this is most likely malicious traffic. VPC Flow logs will mark those scanned port and using the AWS Lambda an alert can be generated for the Administrators.
D & E. Check this link. It doesn't require Amazon Inspector agent to be installed. We can schedule a Lambda function to do this job. https://aws.amazon.com/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/
The answer, in my opinion is, CD Because VPC Logs can have alarms but you cant create events events can be created for Cloudtrails and add targets which would be SNS, Lambda etc.
B. VPC Flow Logs, D. Lambda. Explanation: VPC Flow Logs can be used to capture information about the IP traffic going to and from network interfaces in your VPC, which would include any port scans. AWS Lambda can then be used to automate the response to these logs, such as triggering a notification to the security team when a port scan is detected. AWS CloudTrail is used for auditing AWS account activity and would not directly detect a port scan. An Internet gateway is a component that allows communication between instances in your VPC and the internet, but it does not provide monitoring capabilities. AWS Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS, but it does not monitor for port scans in real-time.
This is not asking for us to scan the ports. It is rather asking for an automated solution to notify in case of port scanning event. While Inspector can provide scanning capabilities, that's not what we are asked for. FlowLogs allow to understand the ports scanned. Lambda can be used for analysis and automation.
Correct Answer CD
BE . You might need to run network port-scanning tools to test routing and firewall configurations, then validate what processes are listening on your instance network ports, before finally mapping the IPs identified in the port scan back to the host’s owner. To make this process simpler for our customers, AWS recently released the Network Reachability rules package in Amazon Inspector, our automated security assessment service that enables you to understand and improve the security and compliance of applications deployed on AWS
Will go with B and D..based on ""Are attempts being made to find open ports or other potential security vulnerabilities in your configuration?" true in this case...nothing about having this done in real time
In basic, port scan is a method that sends TCP SYN request to specific port to detect it is opened or not. So it can record in VPC Flows Log. So for me, B, D are correct answers.
Where would you get request type in VPC flow logs ? flow logs wont show if itis SYN. No complications needed. When AWS inspector can give you readymade info , why do you want to make it complex by writing another lambda to analyse if port scan is happening in flow logs data ? For me D and E are best.
"You are tasked with notifying the security team in the event your application is port scanned by external systems". Does AWS Inspector always run or run on-demand or schedule run? So can you detect the port scan any time when your app were attacked?
AWS Inspector will assess your security risks by one time running or weekly schedule, it is likely your virus scanning. Unfortunately, it does not provide run-time protection.
I don't care about TPC SYN type, I will check if the port range appearing in VPC logs is not used by my application port, or increasing abnormally in range, so I will notify
Agree with Ishu. That's not easy to build to all algorithm to detect a port scan action. you can schedule a lambda function to run Amazon Inspector and another lambda function to notify.
C and D , VPC Flow logs monitoring the traffic to capture (accepted traffic, rejected traffic, or all traffic)
It's either B/D or D/E. I lean toward B/D VPC Flow Logs for the port scan and Lambda for the trigger. https://www.flowtraq.com/working-vpc-flow-logs/
D and E for sure
B would only give you the data of inflow and outflow nework logs, how would you know if any port scanning is being done. B is not the right answer