A secure payment application is deployed on the EC2 instance in VPC. This application server is accessed by the internal team & vendors for uploading security patches. You have a security group policy that allows only SSH to this application from all IP subnets. The Security Team needs to get notified when more than Fifty SSH login attempts were recorded from unknown IP addresses in an hour. Which of the following solution can be deployed with the least cost to meet this requirement?

Answer options:

A.Create a VPC Flow logs for the Server network interface. Export flow logs to Amazon S3 bucket with Lifecycle management policies. Create a CloudWatch alarm for this bucket which will notify the Security Team when a number of failed SSH login attempts breaches the threshold value.
B.Create a VPC Flow logs for VPC in which the Server instance is launched. Export flow logs to Amazon S3 bucket with Lifecycle management policies. Create a CloudWatch alarm for this bucket which will notify the Security Team when a number of failed SSH login attempts breaches the threshold value.
C.Create a VPC Flow logs for VPC in which the Server instance is launched. Export flow logs to CloudWatch Logs. Create a cloudwatch metric and trigger an alarm that will notify the Security Team when a number of failed SSH login attempts breaches the threshold value.
D.Create a VPC Flow logs for the Server network interface. Export flow logs to CloudWatch Logs. Create a Cloudwatch metric and trigger an alarm that will notify the Security Team when a number of failed SSH login attempts breaches the threshold value.

Correct Answer – D
Flow Logs can be published to CloudWatch logs to set alarms for specific notifications. There are charges involved when flow log data is saved in either S3 buckets or published to CloudWatch. So, in order to have a cost-effective solution, you can enable Flow logs only on a specific instance interface & published them to CloudWatch.
Options A & B are incorrect as this is not an effective way to store data in the S3 bucket & again publish it to CloudWatch. Instead of that, direct flow logs can be published to CloudWatch & an alarm can be set to notify Security Team.
Option C is incorrect as although this will work in capturing failed SSH login attempts to the Server network interface, these flow logs will capture logs for all interface & subnets within that VPC. When a large amount of data is published to CloudWatch logs, this will incur additional charges.
For more information on using Flow Logs, refer to the following URL
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-cwl-create-flow-log