AWS DevOps Engineer Professional DOP-C01 – Question326

You have just come from your Chief Information Security Officer's (CISO) office with the instructions to provide an audit report of all AWS network rules used by the organization's Amazon EC2 instances. You have discovered that a single Describe-Security-Groups API call will return all of an account's security groups and rules within a region. You create the following pseudo-code to create the required report:
– Parse "aws ec2 describe-security-groups" output
– For each security group
– Create report of ingress and egress rules
Which two additional pieces of logic should you include to meet the CISO's requirements? (Choose two.)

A.
Parse security groups in each region.
B. Parse security groups in each Availability Zone and region.
C. Evaluate VPC network access control lists.
D. Evaluate AWS CloudTrail logs.
E. Evaluate Elastic Load Balancing access control lists.
F. Parse CloudFront access control lists.

Correct Answer: AC