ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security engineer must ensure that Linux instances in two private VPC subnets can download updates from the vendor site repo.example.com over HTTPS while all other outbound Internet traffic from those subnets is blocked. Which AWS preventative control offers the simplest, scalable way to meet this requirement with minimal ongoing administration and cost?
Create an interface VPC endpoint for Amazon S3 and write an endpoint policy that allows connections exclusively to repo.example.com.
Enable Amazon GuardDuty and configure findings to alert on any outbound traffic to domains other than repo.example.com.
Deploy AWS Network Firewall in the VPC and create a stateful domain-list rule group that permits only repo.example.com and blocks all other outbound traffic.
Replace the NAT Gateway with a NAT instance and configure custom iptables rules to permit only the repository's IP addresses.
AWS Network Firewall is a managed, highly available service that lets administrators create stateful rule groups, including domain-list rules that allow or deny traffic based on fully qualified domain names. By deploying a firewall endpoint in the VPC's egress path and whitelisting only repo.example.com while blocking all other destinations, the engineer enforces the policy before traffic leaves the private subnets. A VPC endpoint policy applies only to AWS services, so it cannot restrict access to an external vendor site. A NAT instance can be customized with iptables, but that requires continuous patching and scaling management, increasing operational overhead and cost. Amazon GuardDuty provides threat detection and alerting after the fact and is therefore a detective, not preventative, control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are stateful rule groups in AWS Network Firewall?
Open an interactive chat with Bash
How does a domain-list rule function in AWS Network Firewall?
Open an interactive chat with Bash
Why is the NAT instance approach inefficient for this scenario?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .