AWS Certified SysOps Administrator – Associate (legacy) — Question 482

You have been asked to design a layered security solution for protecting your organization's net-work infrastructure. You research several options and decide to deploy a network-level security con-trol appliance, inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server. Which of the following is NOT considered an inline threat protection technology?

Answer options

• A. Intrusion prevention systems
• B. Third-party firewall devices installed on Amazon EC2 instances
• C. Data loss management gateways
• D. Augmented security groups with Network ACLs

Correct answer: D

Explanation

AWS Security Groups and Network ACLs are built-in, non-inline packet filtering mechanisms that control traffic at the hypervisor and subnet levels rather than dedicated inline appliances that intercept, analyze, and forward traffic. In contrast, Intrusion Prevention Systems, third-party firewalls on EC2, and data loss gateways are active inline technologies that inspect traffic payloads prior to delivery. Thus, security groups and Network ACLs do not qualify as inline threat protection appliances.