ExpertEasy1 markMultiple Choice
AWS SAA-C03 · Question 11 · Domain 1.2: Secure Workloads
A solutions architect is configuring network security for a VPC. The architect needs to explicitly deny traffic from a specific malicious IP address from reaching any resources in a public subnet. Which AWS feature should the architect use?
A solutions architect is configuring network security for a VPC. The architect needs to explicitly deny traffic from a specific malicious IP address from reaching any resources in a public subnet. Which AWS feature should the architect use?
Answer options:
A.
Security Group
B.
Network Access Control List (NACL)
C.
Route Table
D.
AWS WAF
How to approach this question
Remember that Security Groups are stateful and allow-only. NACLs are stateless and support explicit deny rules.
Full Answer
B.Network Access Control List (NACL)✓ Correct
Network Access Control List (NACL)
A network access control list (NACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Unlike security groups, NACLs support explicit deny rules, making them the correct choice for blocking a specific IP address.
Common mistakes
Choosing Security Groups, forgetting that they cannot explicitly deny traffic.
Practice the full AWS SAA-C03 Practice Exam 1
65 questions · hints · full answers · grading
More questions from this exam
Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...MediumQ02A solutions architect is designing an application that will run on Amazon EC2 instances. The appl...EasyQ03A company wants to implement a federated identity solution for its employees to access the AWS Ma...MediumQ04A mobile application needs to access Amazon DynamoDB directly to read user-specific data. The app...HardQ05A company is hosting a web application on Amazon EC2 instances. The application connects to an Am...Medium