ExpertHard1 markMultiple Choice
AWS SAP-C02 · Question 49 · Domain 3.2: Security Improvement
An enterprise is refactoring its network security. They want to centrally manage firewall rules across all VPCs and enforce deep packet inspection (DPI) on all outbound internet traffic. Which TWO actions should the architect take? (Select TWO)
An enterprise is refactoring its network security. They want to centrally manage firewall rules across all VPCs and enforce deep packet inspection (DPI) on all outbound internet traffic. Which TWO actions should the architect take? (Select TWO)
Answer options:
A.
Deploy AWS WAF on all NAT Gateways.
B.
Use AWS Firewall Manager to centrally apply policies.
C.
Configure VPC Flow Logs to block malicious traffic.
D.
Deploy AWS Network Firewall in a centralized egress VPC.
E.
Use AWS Shield Advanced to inspect outbound traffic.
F.
Configure Security Groups to perform deep packet inspection.
How to approach this question
Identify the central management tool and the DPI firewall service.
Full Answer
B, D
AWS Network Firewall provides deep packet inspection (DPI) for outbound traffic. AWS Firewall Manager allows you to centrally manage and enforce these firewall rules across your entire AWS Organization.
Common mistakes
Thinking Security Groups or WAF can perform outbound DPI.
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6
75 questions · hints · full answers · grading
More questions from this exam
Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...HardQ02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...HardQ03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...MediumQ04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...HardQ05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium