A company wants to use an AWS Network Firewall firewall to secure its workloads in the cl…

Question

A company wants to use an AWS Network Firewall firewall to secure its workloads in the cloud through network traffic inspection. The company must record complete metadata information, such as source/destination IP addresses and protocol type. The company must also record all network traffic flows and any DROP or ALERT actions that the firewall takes for traffic that the firewall processes. The Network Firewall endpoints are placed in the correct subnets, and the VPC route tables direct traffic to the Network Firewall endpoints on the path to and from the internet. How should a network engineer configure the firewall to meet these requirements?

Accepted Answer

Correct answer: C. C. Create a firewall policy to ensure that a stateful engine processes all the traffic. Configure Network Firewall logging for alert logs and flow logs. Select a destination for alert logs and flow logs. — The correct answer is C because it specifies the use of a stateful engine to process all traffic and properly configures logging for both alert logs and flow logs, including selecting a destination for each. Option A fails to address the need for logging configuration, while option B does not specify that a stateful engine is required. Option D incorrectly suggests using VPC flow logs instead of the Network Firewall's logging capabilities for detailed traffic insights.

AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 177

Answer options

Correct answer: C

Explanation