ExpertMedium1 markMultiple Choice
AWS SAA-C03 · Question 07 · Domain 1.2: Secure Workloads
A solutions architect is designing a VPC. The requirement is to block a specific malicious IP address from accessing the VPC, while allowing legitimate HTTP traffic to reach EC2 instances. Which TWO actions should be taken? (Select TWO.)
A solutions architect is designing a VPC. The requirement is to block a specific malicious IP address from accessing the VPC, while allowing legitimate HTTP traffic to reach EC2 instances. Which TWO actions should be taken? (Select TWO.)
Answer options:
A.
Add a deny rule for the malicious IP address in the Network ACL.
B.
Add a deny rule for the malicious IP address in the Security Group.
C.
Add an allow rule for port 80 in the Security Group attached to the EC2 instances.
D.
Configure AWS WAF to block the IP address at the VPC level.
E.
Use Route 53 to route traffic away from the malicious IP.
How to approach this question
Remember that NACLs support DENY rules, while Security Groups only support ALLOW rules.
Full Answer
Network ACLs are stateless and support explicit deny rules, making them ideal for blocking specific IPs. Security Groups are stateful and only support allow rules, used to permit legitimate traffic.
Common mistakes
Trying to add a deny rule to a Security Group.
Practice the full AWS SAA-C03 Practice Exam 3
65 questions · hints · full answers · grading
More questions from this exam
Q01A company stores sensitive documents in an Amazon S3 bucket. The security team requires that only...EasyQ02A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to...MediumQ03A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (AL...EasyQ04A company wants to continuously monitor its AWS accounts for malicious activity and unauthorized ...MediumQ05A company needs to encrypt data at rest in Amazon RDS and manage database credentials securely. T...Medium