A company is designing a network security architecture for a multi-account environment using AWS Organizations. The security team needs to ensure that all internet-bound traffic from VPCs in the organization goes through a centralized egress VPC where it is inspected by a firewall. Which TWO steps are required to enforce this?
Central egress VPC hosts the internet gateway.
Why this answer
Options A and D are correct. Option A: A central egress VPC with an internet gateway is required. Option D: A service control policy (SCP) can prevent creation of internet gateways in other accounts.
Option B is wrong because Direct Connect is for private connectivity, not internet. Option C is wrong because VPC endpoints are for private access to AWS services. Option E is wrong because AWS WAF is for web ACLs, not egress enforcement.