AWS Certified Security – Specialty (SCS-C02) — Question 102

A systems engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.

What configuration is necessary to allow the virtual security appliance to route the traffic?

Answer options

• A. Disable network ACLs.
• B. Configure the security appliance's elastic network interface for promiscuous mode.
• C. Disable the Network Source/Destination check on the security appliance's elastic network interface.
• D. Place the security appliance in the public subnet with the internet gateway.

Correct answer: C

Explanation

The correct answer is C because disabling the Network Source/Destination check on the elastic network interface allows the virtual security appliance to route traffic properly. Options A and B do not address the specific routing requirements, while D incorrectly assumes that placing the appliance in a public subnet is sufficient for routing without addressing the source/destination check.