Q49 — AWS ANS-C01 Ch.1

Question 49 of 100 | ← Chapter 1

A consulting company manages AWS accounts for its customers. One of the company's customers needs to add intrusion prevention for its environment without having to re-architect the environment. The customer's environment includes five VPCs in two AWS Regions in the United States. VPC-to-VPC connectivity is achieved through VPC peering. The customer does not plan to increase the number of VPCs within the next 2 years. The solution must accommodate unencrypted traffic. Which solution will meet these requirements?

Correct Answer: C. Use an AWS Network Firewall distributed deployment model in each VPC.

Explanation

答案C是正确的。对于该客户的环境,有五个VPC分布在两个美国地区,且通过VPC对等实现连接,未来两年内VPC数量不增加,又要为环境添加入侵预防且无需重新架构。AWSNetworkFirewall的分布式部署模型可以在每个VPC中提供独立的防护,适应这种复杂的多VPC且有连接需求的环境,并且能够处理未加密流量,满足客户需求。而A选项的VPC安全组和网络ACL可能无法提供全面的入侵预防功能。B选项的集中式部署模型可能不太适合这种多VPC且分布在不同区域的情况。D选项的AWSShield主要针对DDoS防护,不能满足全面的入侵预防要求。综上,选择C选项。 查看全部