DOP-C02 · Drill mode

A company has deployed an application in a producti on VPC in a single AWS account. The application sec urity, such as AWS WAF, to the application deployment. How ever, the application's product manager is concerne d about cost and does not want to approve the change unless the security team can prove that additional security is necessary. The security team believes that some of the applica tion's demand might come from users that have IP addresses that are on a deny list. The security tea m provides the deny list to a DevOps engineer. If a ny of the IP addresses on the deny list access the applicatio n, the security team wants to receive automated not ification in near real time so that the security team can doc ument that the application needs additional securit y. The DevOps engineer creates a VPC flow log for the prod uction VPC. Which set of additional steps should th e DevOps engineer take to meet these requirements MOS T cost-effectively?

• AA. Create a log group in Amazon CloudWatch Logs. Con figure the VPC flow log to capture accepted traffic and
• BB. Create an Amazon S3 bucket for log files. Configu re the VPC flow log to capture all traffic and to s end the
• CC. Create an Amazon S3 bucket for log files. Configu re the VPC flow log to capture accepted traffic and to
• DD. Create a log group in Amazon CloudWatch Logs. Cre ate an Amazon S3 bucket to hold query results.