AWS Certified Solutions Architect – Associate (SAA-C03) — Question 313

A solutions architect must secure a VPC network that hosts Amazon EC2 instances. The EC2 instances contain highly sensitive data and run in a private subnet. According to company policy, the EC2 instances that run in the VPC can access only approved third-party software repositories on the internet for software product updates that use the third party’s URL. Other internet traffic must be blocked.

Which solution meets these requirements?

Answer options

• A. Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewall firewall. Configure domain list rule groups.
• B. Set up an AWS WAF web ACL. Create a custom set of rules that filter traffic requests based on source and destination IP address range sets.
• C. Implement strict inbound security group rules. Configure an outbound rule that allows traffic only to the authorized software repositories on the internet by specifying the URLs.
• D. Configure an Application Load Balancer (ALB) in front of the EC2 instances. Direct all outbound traffic to the ALB. Use a URL-based rule listener in the ALB’s target group for outbound access to the internet.

Correct answer: A

Explanation

AWS Network Firewall allows for stateful domain list rule groups, which can inspect and filter outbound HTTP/S traffic based on domain names (URLs). Security groups do not support filtering by domain names or URLs, making Option C incorrect. AWS WAF and Application Load Balancers are designed to protect and distribute inbound traffic, not to act as forward proxies for outbound internet filtering, making Options B and D incorrect.