AWS Certified Solutions Architect – Associate (SAA-C02) — Question 700

A company recently migrated to AWS and wants to implement a solution to protect the traffic that flows in and out of the production VPC. The company had an inspection server in its on-premises data center. The inspection server performed specific operations such as traffic flow inspection and traffic filtering. The company wants to have the same functionalities in the AWS Cloud.
Which solution will meet these requirements?

Answer options

• A. Use Amazon GuardDuty for traffic inspection and traffic filtering in the production VPC
• B. Use Traffic Mirroring to mirror traffic from the production VPC for traffic inspection and filtering.
• C. Use AWS Network Firewall to create the required rules for traffic inspection and traffic filtering for the production VPC.
• D. Use AWS Firewall Manager to create the required rules for traffic inspection and traffic filtering for the production VPC.

Correct answer: C

Explanation

AWS Network Firewall is a managed service that provides active, inline traffic inspection, intrusion prevention, and filtering for VPCs. AWS Firewall Manager is a administration tool used to centrally configure and deploy rules, but it does not perform the inspection itself. Amazon GuardDuty is a threat detection service rather than an inline filtering solution, and Traffic Mirroring is designed for out-of-band monitoring rather than inline prevention.