Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 327 discussion

Correct Answer A. Send the outbound connection from EC2 to Network Firewall. In Network Firewall, create stateful outbound rules to allow certain domains for software patch download and deny all other domains. https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html#suricata-example-domain-filtering

Can't use URLs in outbound rule of security groups. URL Filtering screams Firewall.

Security Groups operate at the transport layer (Layer 4) of the OSI model and are primarily concerned with controlling traffic based on IP addresses, ports, and protocols. They do not have the capability to inspect or filter traffic based on URLs. The solution to restrict outbound internet traffic based on specific URLs typically involves using a proxy or firewall that can inspect the application layer (Layer 7) of the OSI model, where URL information is available. AWS Network Firewall operates at the network and application layers, allowing for more granular control, including the ability to inspect and filter traffic based on domain names or URLs. By configuring domain list rule groups in AWS Network Firewall, you can specify which URLs are allowed for outbound traffic. This option is more aligned with the requirement of allowing access to approved third-party software repositories based on their URLs.

https://aws.amazon.com/network-firewall/features/ "Web filtering: AWS Network Firewall supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, Server Name Indication (SNI) is used for blocking access to specific sites. SNI is an extension to Transport Layer Security (TLS) that remains unencrypted in the traffic flow and indicates the destination hostname a client is attempting to access over HTTPS. In addition, **AWS Network Firewall can filter fully qualified domain names (FQDN).**" Always use an AWS product if the advertisement meets the use case.

AWS Network Firewall • Protect your entire Amazon VPC • From Layer 3 to Layer 7 protection • Any direction, you can inspect Traffic filtering: Allow, drop, or alert for the traffic that matches the rules, • Active flow inspection to intrusion prevention

D not possible?

AWS network firewall is stateful, providing control and visibility to Layer 3-7 network traffic, thus cover the application too

Just tried on the console to set up an outbound rule, and URLs cannot be used as a destination. I will opt for A.

Implement strict inbound security group rules Configure an outbound security group rule to allow traffic only to the approved software repository URLs The key points: Highly sensitive EC2 instances in private subnet that can access only approved URLs Other internet access must be blocked Security groups act as a firewall at the instance level and can control both inbound and outbound traffic.

Isnt private subnet not connectible to internet at all, unless with a NAT gateway?

We can't specifu URL in outbound rule of security group. Create free tier AWS account and test it.

CCCCCCCCCCC

It can't be C. You cannot use URLs in the outbound rules of a security group.

Option C is the best solution to meet the requirements of this scenario. Implementing strict inbound security group rules that only allow traffic from approved sources can help secure the VPC network that hosts Amazon EC2 instances. Additionally, configuring an outbound rule that allows traffic only to the authorized software repositories on the internet by specifying the URLs will ensure that only approved third-party software repositories can be accessed from the EC2 instances. This solution does not require any additional AWS services and can be implemented using VPC security groups. Option A is not the best solution as it involves the use of AWS Network Firewall, which may introduce additional operational overhead. While domain list rule groups can be used to block all internet traffic except for the approved third-party software repositories, this solution is more complex than necessary for this scenario.

In the security group, only allow inbound traffic originating from the VPC. Then only allow outbound traffic with a whitelisted IP address. The question asks about blocking EC2 instances, which is best for security groups since those are at the EC2 instance level. A network firewall is at the VPC level, which is not what the question is asking to protect.

I am confused that It seems both options A and C are valid solutions.

Answer - A https://aws.amazon.com/premiumsupport/knowledge-center/ec2-al1-al2-update-yum-without-internet/