AWS Certified Security – Specialty — Question 65

A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?

Answer options

• A. Disable network ACLs.
• B. Configure the security appliance's elastic network interface for promiscuous mode.
• C. Disable the Network Source/Destination check on the security appliance's elastic network interface
• D. Place the security appliance in the public subnet with the internet gateway

Correct answer: C

Explanation

The correct answer is C because disabling the Network Source/Destination check allows the virtual security appliance to route traffic that is not directly addressed to it, which is essential for inline deployments. Option A is incorrect as disabling network ACLs removes an essential layer of security. Option B is not necessary for routing traffic and may expose the appliance to security risks. Option D does not address the routing configuration needed for the appliance to function correctly.