Learn how to securely capture and provide data from third-party services on Amazon EC2 for debugging. Ensure compliance and security while aiding debugging processes on your trading platform.
Table of Contents
Question
A financial trading company is using Amazon EC2 instances to run its trading platform. Part of the company’s trading platform includes a third-party pricing service that the EC2 instances communicate with over UDP on port 50000.
Recently, the company has had problems with the pricing service. Some of the responses from the pricing service appear to be incorrectly formatted and are not being processed successfully. The third-party vendor requests access to the data that the pricing service is returning. The third-party vendor wants to capture request and response data for debugging by logging in to an EC2 instance that accesses the pricing service. The company prohibits direct access to production systems and requires all log analysis to be performed in a dedicated monitoring account.
Which set of steps should a network engineer take to capture the data and meet these requirements?
A.
1. Configure VPC flow logs to capture the data that flows in the VPC.
2. Send the data to an Amazon S3 bucket.
3. In the monitoring account, extract the data that flows to the EC2 instance’s IP address and filter the traffic for the UDP data.
4. Provide the data to the third-party vendor.
B.
1. Configure a traffic mirror filter to capture the UDP data.
2. Configure Traffic Mirroring to capture the traffic for the EC2 instance’s elastic network interface.
3. Configure a packet inspection package on a new EC2 instance in the production environment. Use the elastic network interface of the new EC2 instance as the target for the traffic mirror.
4. Extract the data by using the packet inspection package.
5. Provide the data to the third-party vendor.
C.
1. Configure a traffic mirror filter to capture the UDP data.
2. Configure Traffic Mirroring to capture the traffic for the EC2 instance’s elastic network interface.
3. Configure a packet inspection package on a new EC2 instance in the monitoring account. Use the elastic network interface of the new EC2 instance as the target for the traffic mirror.
4. Extract the data by using the packet inspection package.
5. Provide the data to the third-party vendor.
D.
1. Create a new Amazon Elastic Block Store (Amazon EBS) volume. Attach the EBS volume to the EC2 instance.
2. Log in to the EC2 instance in the production environment. Run the tcpdump command to capture the UDP data on the EBS volume.
3. Export the data from the EBS volume to Amazon S3.
4. Provide the data to the third-party vendor.
Answer
C.
1. Configure a traffic mirror filter to capture the UDP data.
2. Configure Traffic Mirroring to capture the traffic for the EC2 instance’s elastic network interface.
3. Configure a packet inspection package on a new EC2 instance in the monitoring account. Use the elastic network interface of the new EC2 instance as the target for the traffic mirror.
4. Extract the data by using the packet inspection package.
5. Provide the data to the third-party vendor.
Explanation
The set of steps that meets the requirements to capture and provide data from the pricing service for debugging while adhering to the company’s security policies is Option C:
- Configure a traffic mirror filter: Set up a traffic mirror filter to capture the UDP data (Step 1).
- Configure Traffic Mirroring: Capture the traffic for the EC2 instance’s elastic network interface using Traffic Mirroring (Step 2).
- Deploy packet inspection in monitoring account: Install a packet inspection package on a new EC2 instance in the monitoring account, using its elastic network interface as the traffic mirror target (Step 3).
- Extract and provide data: Extract the captured data using the packet inspection package and provide it to the third-party vendor (Steps 4 and 5).
This approach ensures the data capture occurs in a monitored environment (the dedicated monitoring account), maintaining security by not allowing direct access to production systems. Additionally, it provides the necessary data to the third-party vendor for debugging without compromising production systems.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.