Q44 — AWS SAA-C03 Ch.5
Question 44 of 65 | ← Chapter 5
Q344. A solutions architect must secure a VPC network that hosts Amazon EC2instances. The EC2instances contain highly sensitive data and run in a private subnet. According to company policy, the EC2instances that run in the VPC can access only approved third-party software repositories on the internet for software product updates that use the third party's URL Other internet traffic must be blocked.Which solution meets these requirements?
- A. Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewall firewall Configure domain list rule groups ✓
- B. Set up an AWS WAF web ACL Create a custom set of rules that filter traffic requests based on source and destination IP address range sets
- C. Implement strict inbound security group rules. Configure an outbound rule that allows traffic only to the authorized software repositories on the internet by specifying the URLs
- D. Configure an Application Load Balancer (ALB)in front of the EC2 instances. Direct all outbound traffic to the ALB. Use a URL-based rule listener in the ALB's target group for outbound access to the internet.
Correct Answer: A. Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewall firewall Configure domain list rule groups
Explanation
Option A: Updating the route table for the private subnet to route outbound traffic to an AWS Network Firewall firewall and configuring domain list rule groups is an appropriate solution to meet the requirement of allowing access only to approved third-party software repositories on the internet while blocking all other internet traffic. This approach can be used to define rules based on the URLs of the software repositories and block any other internet traffic.Option B: Setting up an AWS WAF web ACL and creating custom rules to filter traffic requests based on source and destination IP address range sets may not be an effective solution to meet the requirement of allowing access only to approved third-party software repositories on the internet as it does not consider the URLs of the software repositories.Option C: Implementing strict inbound security group rules and configuring an outbound rule that allows traffic only to authorized software repositories on the internet by specifying the URLs is a good solution but may not be as effective as using AWS Network Firewall domain list rule groups, which provide more granular control over outbound traffic.Option D: Configuring an Application Load Balancer (ALB) in front of the EC2 instances and directing all outbound traffic to the ALB using a URL-based rule listener in the ALB's target group for outbound access to the internet may not be an effective solution to meet the requirement of allowing access only to approved third-party software repositories on the internet as it does not consider the URLs of the software repositories.Therefore, option A is the best solution for securing the VPC network that hosts Amazon EC2 instances and meets the requirement of allowing access only to approved third-party software repositories on the internet while blocking all other internet traffic.