While preparing for the AWS SAA-C03, many candidates get confused by AWS security service overlaps. In the real world, this is fundamentally a decision about inline traffic control vs. post-event detection. Let’s drill into a simulated scenario.
The Scenario #
MediSync Solutions, a healthcare data analytics startup, recently completed their AWS migration. Their compliance team mandates that all traffic entering and leaving their production VPC must pass through a centralized inspection layer that can:
- Perform deep packet inspection (DPI)
- Block malicious traffic in real-time
- Log all traffic flows for HIPAA audit requirements
In their legacy data center, they operated a hardware appliance that performed stateful firewall operations, intrusion prevention, and content filtering. The Chief Security Officer wants to replicate this inline inspection and blocking capability in AWS without deploying third-party virtual appliances.
Key Requirements #
Implement a cloud-native, managed solution that provides stateful traffic inspection and filtering for both ingress and egress VPC traffic with minimal operational overhead.
The Options #
- A) Use Amazon GuardDuty to perform traffic inspection and filtering in the production VPC.
- B) Use VPC Traffic Mirroring to copy production traffic to an EC2-based inspection server for analysis and filtering.
- C) Use AWS Network Firewall to create the required traffic inspection and filtering rules for the production VPC.
- D) Use AWS Firewall Manager to create the required traffic inspection and filtering rules for the production VPC.
Correct Answer #
Option C.
The Architect’s Analysis #
Correct Answer #
Option C: AWS Network Firewall
Step-by-Step Winning Logic #
AWS Network Firewall is purpose-built for this exact use case. It provides:
- Stateful Inspection Engine: Operates at Layer 3-7, tracking connection states and application protocols
- Inline Deployment: Traffic must pass through the firewall before reaching destinations—enabling real-time blocking
- Managed Infrastructure: AWS handles scaling, patching, and high availability across multiple AZs
- Rule Flexibility: Supports both Suricata-compatible IPS rules and domain filtering (e.g., block *.malicious.com)
- Native VPC Integration: Deploys as firewall endpoints in dedicated subnets with route table integration
The FinOps Win: For a production VPC processing 10TB/month, Network Firewall costs ~$500-700/month (endpoint + data processing fees) versus $3,000-5,000/month for self-managed EC2 firewall clusters with equivalent availability.
The Traps (Distractor Analysis) #
-
Why not Option A (GuardDuty)?
GuardDuty is a threat detection service that analyzes CloudTrail, VPC Flow Logs, and DNS logs to identify anomalies. It cannot block traffic—it only sends alerts. Think of it as a security camera, not a locked door. -
Why not Option B (Traffic Mirroring)?
Traffic Mirroring copies VPC traffic to analysis targets (like an EC2 instance running Wireshark). It’s passive monitoring only—the original traffic flows normally regardless of what the inspection server finds. It cannot enforce blocking. -
Why not Option D (Firewall Manager)?
Firewall Manager is a policy orchestration tool that helps you centrally manage WAF rules, Security Groups, and Network Firewall policies across multiple accounts. It doesn’t perform traffic inspection itself—it’s the control plane, not the data plane.
The Architect Blueprint #
Diagram Note: All traffic enters/exits through the Network Firewall endpoint deployed in a dedicated inspection subnet, with routing tables forcing traffic through the firewall before reaching application workloads or the internet.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A: GuardDuty | Low | $50-150 (based on volume) | ✅ Easy to enable ✅ Machine learning threat detection ✅ No infrastructure |
❌ Cannot block traffic ❌ Detection only, not prevention ❌ No inline inspection |
| B: Traffic Mirroring | High | $800-2,000 (EC2 + data transfer) | ✅ Full packet capture ✅ Flexible analysis tools |
❌ Passive monitoring only ❌ Requires self-managed EC2 inspection servers ❌ No blocking capability ❌ Doubles network costs |
| C: Network Firewall | Medium | $500-700 (10TB/month) | ✅ Inline blocking ✅ Fully managed ✅ Stateful + IPS rules ✅ HA built-in |
⚠️ Moderate cost at high scale ⚠️ Requires subnet redesign |
| D: Firewall Manager | Low | $100 (policy management) | ✅ Centralized policy management ✅ Multi-account governance |
❌ Not a firewall engine ❌ Requires Network Firewall/WAF underneath ❌ Policy orchestration only |
Real-World Practitioner Insight #
Exam Rule #
For the SAA-C03 exam, always pick AWS Network Firewall when you see keywords like:
- “Inline traffic inspection”
- “Block malicious traffic in real-time”
- “Stateful firewall rules”
- “Replace on-premises firewall appliance”
Choose GuardDuty only when the requirement is “detect” or “identify threats” without blocking.
Real World #
In production at MediSync, we would likely implement a layered defense:
- AWS Network Firewall for inline inspection and filtering
- GuardDuty for anomaly detection (e.g., compromised EC2 instances)
- WAF for application-layer protection (HTTP/S attacks)
- Traffic Mirroring selectively enabled for forensic analysis during incident response (not continuous monitoring due to cost)
The exam simplifies this to a single choice, but real architectures combine services. For a 50TB/month environment, we’d also evaluate:
- Third-party appliances (Palo Alto VM-Series) if existing licensing exists
- AWS Gateway Load Balancer for auto-scaling third-party firewalls
- VPC Ingress Routing for more granular traffic steering
FinOps Tip: Network Firewall’s pricing is consumption-based ($0.395/hour per endpoint + $0.065/GB processed in us-east-1). For cost predictability, enable VPC Flow Logs first to baseline traffic volumes before deploying.