Learn the most operationally efficient solution for deploying Network Firewall, AWS WAF, and VPC security groups on AWS when hosting external websites. Discover how to centrally manage policies and prevent overly permissive access.
Table of Contents
Question
A company is planning to host external websites on AWS. The websites will include multiple tiers such as web servers, application logic services, and databases. The company wants to use AWS Network Firewall, AWS WAF, and VPC security groups for network security.
The company must ensure that the Network Firewall firewalls are deployed appropriately within relevant VPCs. The company needs the ability to centrally manage policies that are deployed to Network Firewall and AWS WAF rules. The company also needs to allow application teams to manage their own security groups while ensuring that the security groups do not allow overly permissive access.
What is the MOST operationally efficient solution that meets these requirements?
A. Define Network Firewall firewalls, AWS WAFV2 web ACLs. Network Firewall policies, and VPC security groups in code. Use AWS CloudFormation to deploy the objects and initial policies and rule groups. Use CloudFormation to update the AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to monitor for overly permissive rules.
B. Define Network Firewall firewalls. AWS WAFV2 web ACLs, Network Firewall policies, and VPC security groups in code. Use the AWS Management Console or the AWS CLI to manage the AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups. Use Amazon GuardDuly to invoke an AWS Lambda function to evaluate the configured rules and remove any overly permissive rules.
C. Deploy AWS WAFv2 IP sets and AWS WAFv2 web ACLs with AWS CloudFormation. Use AWS Firewall Manager to deploy Network Firewall firewalls and VPC security groups where required and to manage the AWS WAFv2 web ACLs, Network Firewall policies, and VPC security groups.
D. Define Network Firewall firewalls, AWS WAFv2 web ACLS, Network Firewall policies, and VPC security groups in code. Use AWS CloudFarmation to deploy the objects and initial policies and rule groups. Use AWS Firewall Manager to manage the AWS WAFV2 web ACLS, Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to monitor for overly permissive rules.
Answer
The most operationally efficient solution that meets the stated requirements is:
D. Define Network Firewall firewalls, AWS WAFv2 web ACLS, Network Firewall policies, and VPC security groups in code. Use AWS CloudFarmation to deploy the objects and initial policies and rule groups. Use AWS Firewall Manager to manage the AWS WAFV2 web ACLS, Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to monitor for overly permissive rules.
Explanation
Defining the network security components as code using CloudFormation allows them to be provisioned in a repeatable and automated way. CloudFormation can be used to deploy the Network Firewall firewalls in the appropriate VPCs, set up the initial AWS WAF web ACLs, Network Firewall policies, and VPC security groups.
AWS Firewall Manager provides a centralized way to manage and enforce those policies and rules across accounts and resources. It gives the security team a single place to configure and update the AWS WAF rules, Network Firewall policies, and VPC security group rules as needed. This centralized management is critical for ensuring consistent security across the different application teams and their resources.
Using Amazon GuardDuty to monitor for overly permissive rules provides an additional layer of security to detect any misconfigurations or excessively open access that may be granted, either during initial setup or later by application teams modifying their security groups.
The combination of defining resources as code, centrally managing policies with Firewall Manager, and monitoring with GuardDuty provides an efficient and comprehensive solution for deploying and maintaining the required network security for hosting external websites on AWS.
Amazon AWS Certified Advanced Networking – Specialty ANS-C01 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn Amazon AWS Certified Advanced Networking – Specialty ANS-C01 certification.