nerdexam
ExamsSAP-C02Questions#786
AmazonAmazon

SAP-C02 · Question #786

SAP-C02 Question #786: Real Exam Question with Answer & Explanation

The correct answer is B: Enable access logging on the ALB. Create an Amazon Athena table to query the ALB access. The company needs to identify inactive IP addresses allowed by an ALB security group and remove them, using a Lambda function, with a focus on cost-effectiveness.

Submitted by lukas.cz· Mar 6, 2026Continuous Improvement for Existing Solutions

Question

A company has an application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The application is in an AWS account that has AWS CloudTrail enabled. The company restricts access to the application by adding the IP addresses of end users to a security group that is associated with the ALB. The company is developing an AWS Lambda function to determine if the allowed IP addresses have accessed the application recently. If an allowed IP address has not accessed the application in the last 90 days, the Lambda function will remove the IP address from the security group. The company needs to implement the functionality for the Lambda function to check the IPaddresses. Which combination of steps will provide this functionality MOST cost-effectively? ((Choose two.)

Options

  • AFor the VPC that contains the ALB, configure VPC flow logs to be sent to a log group in Amazon
  • BEnable access logging on the ALB. Create an Amazon Athena table to query the ALB access
  • CProgram the Lambda function to check when each allowed IP address from the security group
  • DProgram the Lambda function to check when each allowed IP address from the security group
  • EProgram the Lambda function to check when each allowed IP address from the security group

Explanation

The company needs to identify inactive IP addresses allowed by an ALB security group and remove them, using a Lambda function, with a focus on cost-effectiveness.

Common mistakes.

  • A. VPC Flow Logs capture all network traffic at the ENI level, making them less specific and potentially more voluminous than ALB access logs for determining application access, and less cost-effective for querying for this specific purpose.
  • C. CloudTrail logs AWS API calls, not individual HTTP requests to the ALB, so it would not show when an IP address accessed the application via the ALB.
  • E. Querying CloudTrail logs for application access is incorrect because CloudTrail tracks AWS API calls, not application-level traffic to the ALB.

Concept tested. ALB access logging and cost-effective log analysis

Reference. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAP-C02 PracticeBrowse All SAP-C02 Questions