A finance organization has implemented a distributed application with database servers on an EC2 instance within VPC across various AZ in the us-east-1 region. These servers save critical customer information which should be protected from all security threats. The Security Team is concerned about hardening the EC2 instance at the OS level to protect from any threats & needs to have deep packet inspection for all packets in & out of this EC2 instance. Which of the following solution can be deployed to meet this requirement with the least effort & cost?

Answer options:

A.Configured Security Groups to perform stateful packet inspection at the EC2 Operating system level.
B.Use a Host-Based Firewall for deep packet inspection at the EC2 Operating system level.
C.Use AWS WAF for deep packet inspection at the EC2 Operating system level.
D.Use In-line Firewall for deep packet inspection at the EC2 Operating system level.

Correct Answer – B
Host-Based Firewall can be deployed at EC2 OS level to perform additional security for packets in & out of those instances. For this, built-in OS capabilities or any third-party software can be used.
Option A is incorrect as the security group can perform packet inspection at the hypervisor level & not at the EC2 OS level.
Option C is incorrect as AWS WAF is used for protecting common web exploits at the web application level. 
Option D is incorrect as Using In-line Firewall will incur additional charges. Since it is an in-line firewall, it may become a bottleneck in case of heavy traffic.
For more information on Firewall Options with VPC, refer to the following URLs
https://aws.amazon.com/answers/networking/vpc-security-capabilities/