Which solution meets these requirements?
Configure AWS Shield for the VPC.
Use AWS Network Firewall on the VPC. Configure Network Firewall to perform deep packet inspection.
Use AWS Network Firewall on the subnets. Configure Network Firewall to perform deep packet inspection.
Set up Traffic Mirroring on an inbound port of the NLB.
Explanations:
AWS Shield is primarily designed to protect against DDoS attacks, not for deep packet inspection. It doesn’t provide the capability for detailed analysis of inbound traffic for hacking attempts.
AWS Network Firewall is a managed service that allows for deep packet inspection in VPCs. It can be configured to analyze and filter traffic to identify potential security threats, including hacking attempts.
AWS Network Firewall should be deployed in the VPC, not in individual subnets. Configuring it only in the subnets does not provide the required traffic inspection for the entire VPC’s inbound traffic.
Traffic Mirroring allows you to capture and analyze traffic, but it doesn’t perform deep packet inspection on its own. It can be used for monitoring and troubleshooting, but additional tools or services would be required for deep packet inspection.
Based on what I know, the answer is:
Use AWS Network Firewall on the VPC. Configure Network Firewall to perform deep packet inspection.
I weigh that the answer is:
Use AWS Network Firewall on the VPC. Configure Network Firewall to perform deep packet inspection.