Exam AWS Certified Solutions Architect - Professional topic 1 question 4 discussion

So i googled and found this on A nother Cloud G u r u site: B is the correct answer. The key line of the question is - "thousands of instances running in the VPC" . Option C does not confirm that the incoming traffic is passed through the IDS/IPS before reaching the host, which is one of the primary feature/requirement of any IDS/IPS. THe traffic will need to pass through the IDS so that any vulnerability could be assessed. Moreover in Option C, you can not expect to manage thousands and thousands of Servers through host based routing. Option A is invalid as promiscuous mode is not supported in AWS. Option D does not meet the IPS requirement and moreover although it can perform IDS activities but again it is not a scalable solution. SO, OPTION B is the correct ANSWER.

I will go for "B" as this is how IDS/IPS are being deploy. "D" not possible as this will create additional CPU workload which should be prevent.

D is the correct answer

B. Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides.

Its says within a VPC . So best option is D . configuring each host with an agent that collects and sends network traffic to a centralized IDS/IPS platform (option D) is the best approach for achieving scalable and effective intrusion detection and prevention in a VPC

Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.

Answer: b

It has to be 'B'

By creating a second VPC and routing all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides. By separating the IDS/IPS platform into its own VPC, you can control the network traffic flow and apply security measures effectively. This architecture allows for scalability by handling the traffic from the primary application VPC through the dedicated IDS/IPS VPC, where the virtualized IDS/IPS platform can analyze and monitor the traffic.

B is correct

A. Not scalable B. Doable, C. Traffic reaches the hosts before IDS/IPS processing, IDS may be okay but not IPS D. The same issue as C, and scalability is not mentioned. So my choice is C

Only B can be the right answer, IDS/IPS must analyze traffic BEFORE the traffic reach the instance

B... Security Team need a clean room or network for IDS/IPS.. Seperate VPC is the answer

B, Gateway Load Balancer is needed https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/getting-started.html

B. There was a similar question and its answer was such as B.

There's same question at official exam from AWS.

D --> This architecture is better suited for HIPAA compliance customers where they make use of the Gateway Load balancer. CISCO NGFW integration with Gateway Load Balancer is a classic example for this type of scenario.