The Jeff’s Note (Contextual Hook) #
Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in how VPC Flow Logs filter settings affect what traffic is actually recorded. In production troubleshooting, this translates into knowing that rejected (denied) traffic may be omitted if the filter is incorrectly set. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
A Site Reliability Engineer at a fintech startup called BlueWave Solutions is investigating persistent connectivity failures between application servers and a backend data store inside their AWS environment. To diagnose the issue, the engineer inspects VPC Flow Logs configured for the company’s production VPC. While analyzing the logs, the engineer realizes that the rejected network traffic is not appearing, hindering the diagnosis.
The Requirement: #
Ensure that the VPC Flow Logs capture all traffic — including accepted, rejected, and all other flows — so that every network event is logged to assist troubleshooting.
The Options #
- A) Create a new flow log that has a filter setting to capture all traffic.
- B) Create a new flow log. Set the log record format to a custom format. Select the proper fields to include in the log.
- C) Edit the existing flow log. Change the filter setting to capture all traffic.
- D) Edit the existing flow log. Set the log record format to a custom format. Select the proper fields to include in the log.
Google adsense #
leave a comment:
Correct Answer #
C
Quick Insight: The SOA-C02 Imperative #
When working with VPC Flow Logs, the filter setting directly impacts which traffic is captured:
ACCEPTlogs only accepted traffic.REJECTlogs only rejected traffic.ALLlogs every flow (both accepted and rejected).To see the missing rejected traffic, the existing flow log’s filter must be changed to
ALL. Editing an existing flow log’s filter requires recreation since AWS does not allow filter modification in-place, so deleting and recreating the log withALLis the practical approach.Custom record format relates to which fields are logged but does not affect filtering of accepted vs rejected traffic.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C
The Winning Logic #
The flow log’s filter controls which traffic types are logged. In this case, the existing flow log is only capturing accepted packets, so rejected packets are missing. Changing the filter to ALL ensures every traffic flow (accepted and rejected) gets captured.
Since AWS does not permit editing the filter of an existing flow log, a common operational approach is to delete and recreate the flow log with the correct filter setting. However, option C’s wording (“Edit the existing flow log”) implies changing configuration, which is effectively done by recreation.
Custom log record format impacts the data fields logged but does not affect filtering of rejected vs. accepted flows. Therefore, options B and D are red herrings.
Creating an additional flow log (option A) could work but would be redundant; the problem is the filter setting on the existing log.
The Trap (Distractor Analysis): #
- Why not A? Creating a new flow log duplicates logging effort and may cause confusion on which logs to consult. Better to fix existing log.
- Why not B or D? Customizing log fields doesn’t enable capture of rejected traffic missing due to filter.
- Why not C? Technically editing a flow log’s filter is not supported; you must delete and recreate, so selecting C means “change filter,” which aligns with best practice, assuming recreation.
The Technical Blueprint #
# Example CLI steps to recreate a flow log with filter=ALL
aws ec2 delete-flow-logs --flow-log-ids fl-1234567890abcdef0
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-0ab1c2d3e4f56789a \
--traffic-type ALL \
--log-group-name /aws/vpc/flow-logs \
--deliver-logs-permission-arn arn:aws:iam::123456789012:role/flow-logs-role
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact |
|---|---|---|---|
| A | High - Creates redundant logs | Medium | Captures rejected traffic but duplicates logs |
| B | Medium - Custom format setup | Medium | No effect on rejected traffic visibility |
| C | Medium - Requires recreation | High (with automation) | Correct filter captures all traffic |
| D | Medium - Custom format setup | Medium | No effect on rejected traffic |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Filter=ALL when you see insufficient log visibility on accepted/rejected traffic in VPC Flow Logs.
Real World #
In reality, many teams opt to have flow logs with filter=REJECT separately for focused security monitoring and filter=ALL for general troubleshooting.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.