AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct solution is to use AWS Network Firewall in a centralized inspection VPC, with AWS Transit Gateway routing traffic through it, and AWS Firewall Manager for policy administration.

• AWS Network Firewall with Transit Gateway: This combination creates a centralized inspection point for all traffic flows (East-West between VPCs, and North-South to/from the internet and on-premises networks). By routing all traffic from spoke VPCs through an inspection VPC that contains Network Firewall endpoints, the company can enforce consistent security policies on all traffic passing through the Transit Gateway. This architecture is a standard AWS pattern for centralized network security.

• AWS Firewall Manager: This service is designed to centrally configure and manage firewall rules across multiple accounts and resources within an AWS Organization. By using Firewall Manager, the central security team can create a single set of Network Firewall policies and apply them hierarchically and consistently across all required VPCs, meeting the central management requirement.

The other options are incorrect for the following reasons:

• Using AWS WAF is incorrect because WAF is a web application firewall that operates at Layer 7 to protect against web exploits like SQL injection. It cannot inspect all network traffic types, such as non-HTTP/HTTPS protocols or general inter-VPC traffic.
• Relying solely on security groups and NACLs is incorrect because these are decentralized controls managed on a per-VPC/subnet basis. This approach does not provide true deep packet inspection and creates significant operational overhead for central management at scale.
• Using Amazon GuardDuty and Amazon Detective is incorrect because these are threat detection and investigation services, respectively. GuardDuty analyzes logs to identify malicious activity but does not actively filter or block network traffic based on configured rules, which is the core requirement.