A company manages a multi-tenant environment in its VPC and has configured Amazon GuardDuty for the corresponding AWS account. The company sends all GuardDuty findings to AWS Security Hub.
Traffic from suspicious sources is generating a large number of findings. A DevOps engineer needs to implement a solution to automatically deny traffic across the entire VPC when GuardDuty discovers a new suspicious source.
Which solution will meet these requirements?
To automatically deny traffic across the entire VPC when GuardDuty discovers a new suspicious source, configuring a firewall in AWS Network Firewall is the most appropriate solution. AWS Network Firewall allows central network traffic inspection and filtering, and can block traffic at the VPC level, unlike AWS WAF, which only manages HTTP/HTTPS traffic. Creating an AWS Lambda function to implement a Drop action rule in the firewall policy and configuring it to respond to Security Hub findings ensures that traffic identified as suspicious by GuardDuty is effectively blocked.
I think C: https://aws.amazon.com/blogs/security/automatically-block-suspicious-traffic-with-aws-network-firewall-and-amazon-guardduty/
Sorry i means B
You mean C?
C is correct . Only Network Firewall can block traffic at VPC level. A only updates the list , no blocking action B- WAF and Web ACL can block only HTTPS traffic for a API/VPC endpoint/ Cloudfron distribution not for enire VPC
Here's the rationale for choosing this option: AWS Network Firewall: AWS Network Firewall is designed to provide centralized network traffic inspection and filtering. It's a suitable choice for implementing network-level controls. Lambda Function for Automation: Creating a Lambda function to trigger the creation of a Drop action rule in the firewall policy allows for automated response based on Security Hub findings. This enables you to take immediate action when suspicious sources are detected. Specific Action (Drop): The Drop action rule is effective for denying traffic from suspicious sources, effectively controlling access and preventing unwanted traffic. This approach aligns well with the requirement to automatically deny traffic when GuardDuty identifies a new suspicious source, enhancing security in the multi-tenant VPC environment.
C is correct: <a solution to automatically deny traffic> means network FW. A: irrelevant B: We need network fw, not WAF D: irrelevant
A is right
A only will upadte threat list. the requirement is to block the taffic. B is corerect. Also it is event driven immditae action
hmmm is this the last question as of now(25th Nov 23)
B blocks traffic at the http/https web traffic layer not for VPC layer