ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A company hosts a public-facing web application in a single AWS VPC. An Application Load Balancer in a public subnet forwards traffic to EC2 instances in private subnets. A new compliance requirement states that all inbound and outbound VPC traffic must undergo signature-based inspection and be automatically dropped if it matches known threats, while adding as little latency as possible. Which solution best satisfies this requirement?
Attach AWS WAF managed rule groups to the Application Load Balancer to inspect and block malicious requests.
Enable Amazon GuardDuty in the account and use an AWS Lambda function to revoke offending security-group rules when findings are generated.
Configure VPC Traffic Mirroring from the application subnets to an EC2 instance running Suricata in passive mode for threat detection.
Create a dedicated firewall subnet and deploy AWS Network Firewall, then adjust the VPC's route tables so that all inbound and outbound traffic is routed through the firewall endpoint.
AWS Network Firewall runs as an inline, managed stateful firewall inside a dedicated VPC subnet. By updating the VPC route tables so that all ingress and egress traffic passes through the firewall endpoint, the service can perform signature-based deep packet inspection and intrusion prevention, blocking malicious traffic in real time with millisecond-level latency.
Amazon GuardDuty is a passive threat-detection service; it does not sit inline and therefore cannot immediately drop packets. AWS WAF only inspects HTTP/HTTPS requests terminating on the ALB and cannot see all VPC egress or non-HTTP traffic. VPC Traffic Mirroring copies packets to an out-of-band Suricata sensor for analysis, which can alert but cannot block traffic without additional automation, and introduces extra data transfer costs. Therefore, deploying AWS Network Firewall in a dedicated subnet and routing all traffic through it is the only option that provides mandatory inline intrusion prevention with minimal added latency.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Network Firewall, and how does it work?
Open an interactive chat with Bash
How does AWS Network Firewall differ from Amazon GuardDuty?
Open an interactive chat with Bash
Why is VPC Traffic Mirroring not ideal for this use case?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Network and Communication Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .