A security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?
Trap 1: Use Amazon GuardDuty
GuardDuty analyzes logs but does not log DNS queries itself.
Trap 2: Enable VPC Flow Logs
VPC Flow Logs capture IP traffic metadata, not DNS queries.
Trap 3: Enable AWS CloudTrail
CloudTrail logs API calls, not DNS queries.
- A
Use Route 53 Resolver DNS Firewall with query logging
DNS Firewall can log DNS queries for VPCs.
- B
Use Amazon GuardDuty
Why wrong: GuardDuty analyzes logs but does not log DNS queries itself.
- C
Enable VPC Flow Logs
Why wrong: VPC Flow Logs capture IP traffic metadata, not DNS queries.
- D
Enable AWS CloudTrail
Why wrong: CloudTrail logs API calls, not DNS queries.