ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company runs several microservices on Amazon EC2 instances in multiple VPCs connected through an AWS Transit Gateway. Security leaders require a centrally managed control that can inspect both north-south and east-west traffic, detect known malicious patterns, and automatically drop matching packets before they reach the instances. The solution must avoid per-host agents and update its signatures without manual intervention. Which option best meets these requirements?
Mirror all VPC traffic to an EC2 host running Suricata and forward alerts to AWS Security Hub for investigation.
Enable Amazon GuardDuty in each account and configure EventBridge rules that automatically isolate offending instances.
Deploy AWS Network Firewall in a dedicated security VPC and manage rule groups across accounts with AWS Firewall Manager, routing all VPC traffic through the firewall.
Attach AWS WAF web ACLs to the Application Load Balancers that front each microservice.
AWS Network Firewall is a managed, stateful network-layer firewall that supports Suricata-compatible intrusion detection and prevention rules. Because it operates inline, it can block malicious packets in real time rather than merely alerting. Deploying the service in a dedicated inspection VPC and using AWS Firewall Manager lets administrators push rule groups centrally and route traffic from multiple VPCs (via Transit Gateway) through the firewall, satisfying the requirement for centralized management. GuardDuty, VPC traffic mirroring with an EC2 sensor, and AWS WAF all provide detection or application-layer filtering only, or require post-processing automation to quarantine resources; none of them perform inline prevention at the network layer.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Network Firewall?
Open an interactive chat with Bash
How does AWS Firewall Manager enhance AWS Network Firewall?
Open an interactive chat with Bash
What distinguishes north-south and east-west traffic in networking?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Network and Communication Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .