About This Flashcard Deck
This flashcard deck contains 10 cards covering key Network Security concepts for the ANS-C01 exam. Test your knowledge of security groups, NACLs, Network Firewall, WAF, Shield, and encryption in transit. Use active recall by attempting to answer each question before revealing the answer. Research shows that flashcard-based active recall is one of the most effective study techniques for certification exams.
Question
How does AWS Network Firewall rule evaluation work?
Click to reveal answer
Answer
Stateless rules evaluate first (pass/drop/forward). Passed traffic goes to stateful engine. Stateful uses Suricata-compatible 5-tuple, domain, and IPS rules.
Click to flip back
All Network Security Flashcards
Q: How does AWS Network Firewall rule evaluation work?
A: Stateless rules evaluate first (pass/drop/forward). Passed traffic goes to stateful engine. Stateful uses Suricata-compatible 5-tuple, domain, and IPS rules.
Q: What is traffic mirroring?
A: Copies network traffic from ENIs to a target (NLB or ENI) for inspection. Configure filters to capture specific traffic. Does not affect source performance.
Q: What is the difference between Shield Standard and Advanced?
A: Standard: free, automatic L3/L4 DDoS protection. Advanced: $3K/month, L7 protection, DRT support, cost protection, advanced metrics, WAF included.
Q: What does a GWLB (Gateway Load Balancer) do?
A: Distributes traffic to virtual appliances (firewalls, IDS) using GENEVE encapsulation. Transparent to the application — sits in the routing path.
Q: What is VPC Flow Logs format?
A: Version, account-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log-status. Custom formats supported.
Q: What is a WAF rate-based rule?
A: Blocks IPs that exceed a threshold (100–20M requests) in a 5-minute window. Automatically unblocks when rate drops. Use for DDoS and brute-force protection.
Q: How does Network Firewall domain filtering work?
A: Inspects SNI (TLS) or Host header (HTTP) to allow/deny traffic to specific domains. Does not decrypt traffic — works on connection metadata.
Q: What is a NACL ephemeral port consideration?
A: Return traffic uses ephemeral ports (1024-65535). Outbound NACL rules must allow ephemeral ports for inbound connections. Often forgotten in troubleshooting.
Q: What is prefix list?
A: A set of CIDR blocks managed as a single resource. Use in security groups and route tables. AWS-managed prefix lists for S3, DynamoDB, CloudFront.
Q: What is endpoint policy vs security group for VPC endpoints?
A: Endpoint policy: IAM-like policy controlling which AWS actions/resources are accessible. Security group: controls which source IPs/SGs can reach the endpoint ENI.