Which of the following options would you consider?

You are designing a data leak prevention solution for your VPC environment.
You want your VPC instances to be able to access software depots and distributions on the
Internet for product updates. The depots and distributions are accessible via third party CDNs by
their URLs.
You want to explicitly deny any other outbound connections from your VPC instances to hosts on
the Internet.
Which of the following options would you consider?

You are designing a data leak prevention solution for your VPC environment.
You want your VPC instances to be able to access software depots and distributions on the
Internet for product updates. The depots and distributions are accessible via third party CDNs by
their URLs.
You want to explicitly deny any other outbound connections from your VPC instances to hosts on
the Internet.
Which of the following options would you consider?

A.
Implement security groups and configure outbound rules to only permit traffic to software depots.

B.
Configure a web proxy server in your VPC and enforce URL-based rules for outbound access.
Remove default routes.

C.
Implement network access control lists to allow specific destinations, with an implicit deny all rule.

D.
Move all your instances into private VPC subnets. Remove default routes from all routing tables
and add specific routes to the software depots and distributions only.

Explanation:
Organizations usually implement proxy solutions to provide URL and web content filtering,
IDS/IPS, data loss prevention, monitoring, and advanced threat protection.
https://d0.awsstatic.com/aws-answers/Controlling_VPC_Egress_Traffic.pdf

Show Hint

Leave a Reply 1

Your email address will not be published. Required fields are marked *

Unnat

Unnat

The answer should be “B” as the instances would be accessing the URLs.

NACL would be a good option if we work with IP.

Reply