Q73 — AWS SCS-C02 Ch.1

Question 73 of 100 | ← Chapter 1

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet. To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances. What should the security engineer do next?

Correct Answer: C. Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.  

Explanation

AWS服务中,VPC流量镜像(Traffic Mirroring)允许复制指定EC2实例的网络流量并转发至监控工具,适用于需要深度包检测的场景。VPC流日志仅记录元数据,无法满足完整数据包检查需求。混杂模式在AWS VPC中受限于安全组和ACL,无法直接捕获非目标流量。Amazon Inspector主要用于自动化安全评估而非实时全流量检查。正确方法是通过VPC流量镜像将流量复制到监控实例,结合NLB实现分发。答案对应AWS文档关于VPC流量镜像的用途:深度检查和合规性场景。