AWS Certified Security – Specialty — Question 38

A company requires that IP packet data be inspected for invalid or malicious content.
Which of the following approaches achieve this requirement? (Choose two.)

Answer options

• A. Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
• B. Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
• C. Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.
• D. Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
• E. Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.

Correct answer: A, B

Explanation

Options A and B are correct because they involve direct inspection of the IP packet data either through a proxy or a host-based agent, which can analyze content for malicious elements. Options C, D, and E rely on log data rather than real-time packet inspection, making them unsuitable for the requirement of inspecting IP packet data directly.