ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security engineer must deploy an intrusion detection capability inside an Amazon VPC that contains two private subnets for application servers and one public subnet for NAT gateways. Compliance requires that all outbound traffic generated by the application servers be inspected, but performance overhead on the traffic path must be minimized. Which approach best satisfies these requirements while aligning with proper network-device placement principles?
Replace the NAT gateways with a self-managed proxy server running the IDS, and configure the private subnet route tables to forward 0.0.0.0/0 through that proxy.
Create an AWS Network Firewall in each private subnet, update the route tables so all egress traffic flows through the firewall, and install the IDS behind it for inspection.
Deploy an interface VPC endpoint to the IDS appliance and require application servers to send outbound traffic through this endpoint for inspection.
Enable VPC Traffic Mirroring on the application servers' elastic network interfaces and direct the mirrored traffic to an IDS appliance in a dedicated monitoring subnet.
Using VPC Traffic Mirroring lets the engineer copy packets from the elastic network interfaces of the application servers to a dedicated IDS appliance located in a separate monitoring subnet. Because the IDS receives mirrored copies of the traffic rather than sitting in the forwarding path, the solution operates in a passive mode, meeting the inspection mandate without introducing latency or becoming a single point of failure. Routing traffic through a stateful inline device (such as an AWS Network Firewall) or a self-managed proxy would meet the inspection goal but would also place the device in the data path, increasing complexity and potential bottlenecks. Security groups alone cannot provide deep-packet inspection, and gateway endpoints cannot be repurposed as IDS appliances. Therefore, leveraging VPC Traffic Mirroring with an out-of-band IDS instance is the most effective solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Traffic Mirroring in AWS?
Open an interactive chat with Bash
Why is VPC Traffic Mirroring preferred over in-line traffic inspection for an IDS?
Open an interactive chat with Bash
What are elastic network interfaces (ENIs) in AWS?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Network and Communication Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .