AWS Certified SysOps Administrator SOA-C01 – Question477

You have been asked to design a layered security solution for protecting your organization's net-work infrastructure. You research several options and decide to deploy a network-level security con-trol appliance, inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server. Which of the following is NOT considered an inline threat protection technology?

A.
Intrusion prevention systems
B. Third-party firewall devices installed on Amazon EC2 instances
C. Data loss management gateways
D. Augmented security groups with Network ACLs

Correct Answer: D

Explanation:

Explanation: Many organizations consider layered security to be a best practice for protecting network infrastruc-ture. In the cloud, you can use a combination of Amazon VPC, implicit firewall rules at the hypervi-sor-layer, alongside network access control lists, security groups, host-based firewalls, and IDS/IPS systems to create a layered solution for network security. While security groups, NACLs and host-based firewalls meet the needs of many customers, if you’re looking for defense in-depth, you should deploy a network-level security control appliance, and you should do so inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server. Examples of inline threat protection technologies include the following: Third-party firewall devices installed on Amazon EC2 instances (also known as soft blades) Unified threat management (UTM) gateways Intrusion prevention systems Data loss management gateways Anomaly detection gateways Advanced persistent threat detection gateways Reference: https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf