AWS Certified Solutions Architect – Professional — Question 459

You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the Internet.
Which of the following options would you consider? (Choose two.)

Answer options

• A. Implement IDS/IPS agents on each Instance running in VPC
• B. Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.
• C. Implement Elastic Load Balancing with SSL listeners in front of the web applications
• D. Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.

Correct answer: A, D

Explanation

In an AWS VPC, promiscuous mode is not supported on network interfaces, which rules out option B. Elastic Load Balancing with SSL listeners (option C) handles encryption but does not perform intrusion detection or prevention. Thus, deploying host-based IDS/IPS agents directly on the application instances (option A) or on a reverse proxy layer (option D) are the correct approaches to inspect and protect incoming traffic.