AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

An operations engineer needs to verify that the company's AWS Network Firewall deployment continues to inspect every packet that traverses a set of VPCs and that no one has removed or modified rule groups. The engineer must also be able to trace individual connection attempts when troubleshooting. Which approach meets these auditing requirements in a single AWS account?

Enable only the FLOW log type on each firewall, send the logs to CloudWatch Logs, and rely on CloudTrail to detect configuration changes.
Enable VPC flow logs for all subnets inspected by the firewall and stream them to Amazon S3 Glacier for long-term retention.
Enable both FLOW and ALERT log types on every firewall and send the logs to CloudWatch Logs. Turn on AWS Config with the managed rules that evaluate Network Firewall firewalls, firewall policies, and rule groups.
Configure AWS Firewall Manager policies to automatically audit rule groups and aggregate all firewall logs to S3.

Report Issue

Answer Description

Enabling both firewall logging types (FLOW and ALERT) to Amazon CloudWatch Logs captures detailed, immutable records for every connection as well as rule-match alerts, allowing packet-level tracing. Turning on AWS Config with the managed rules that monitor Network Firewall resources provides continuous configuration compliance checks and records any changes to firewalls, firewall policies, and rule groups, ensuring that rule groups are neither removed nor altered without detection.

Sending only VPC flow logs omits rule-evaluation details, and logging to S3 without the ALERT log type prevents correlating traffic with rule actions. Firewall Manager is designed for multi-account control and does not add value in a single-account environment.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.