🔥 3-day streak
AWS Certified Security - Specialty96 / 157
Question 96 of 157

A financial services company routes all outbound traffic from a workload VPC through AWS Network Firewall for inspection. Compliance requires that EC2 instances can only reach a fixed set of external SaaS domains over HTTPS. The instances do NOT use a forward proxy, and the security team wants to avoid decrypting traffic due to certificate-handling overhead. They need the firewall to allow only the approved domains and block all other HTTPS destinations. Which approach meets the requirement with the least operational overhead?

Reviewed for accuracy · Report an issueNext question