A web company is looking to implement an intrusion detection and prevention system for their deployed VPC. This platform should have the ability to scale to thousands of instances running inside of the VPC. How should they architect their solution to achieve these goals?

Answer options:

A.Configure an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode packet sniffing to see all traffic across the VPC.B.Create a IDS/IPS system from AWS Marketplace to monitor security events in the VPC network and stop threats once detected.
C.Configure servers running in the VPC using the host-based ‘route’ commands to send all traffic through the platform to a scalable virtualized IDS/IPS.
D.Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.

Answer - B
This question asks you to design a scalable IDS/IPS solution (easily applicable to thousands of instances). Users can set up third party IDS/IPS solutions offered in AWS Marketplace.
Option A is incorrect because AWS does not support promiscuous mode.
Option B is CORRECT because there are various IDS/IPS solutions offered in AWS Marketplace that monitor networks and systems for malicious activity and provide layer of security for potential threats.
Option C is incorrect. The incoming traffic should be passed through IDS/IPS before sending it to the servers.
Option D is plausible, but (a) it is not a scalable solution, (b) it is only an IDS solution, not an IPS solution.
Please check the following references:
https://aws.amazon.com/mp/scenarios/security/ids/
https://aws.amazon.com/marketplace/solutions/infrastructure-software/ids-ips