A solutions architect is designing a VPC. The requirement is to block a specific malicious IP address from accessing the VPC, while allowing legitimate HTTP traffic to reach EC2 instances. Which TWO actions should be taken? (Select TWO.)

Answer options:

Add a deny rule for the malicious IP address in the Network ACL.

Add a deny rule for the malicious IP address in the Security Group.

Add an allow rule for port 80 in the Security Group attached to the EC2 instances.

Configure AWS WAF to block the IP address at the VPC level.

Use Route 53 to route traffic away from the malicious IP.

How to approach this question

Remember that NACLs support DENY rules, while Security Groups only support ALLOW rules.

Full Answer

Use a NACL to deny the IP, and a Security Group to allow HTTP.

Network ACLs are stateless and support explicit deny rules, making them ideal for blocking specific IPs. Security Groups are stateful and only support allow rules, used to permit legitimate traffic.

Common mistakes

Trying to add a deny rule to a Security Group.

Question 06 All questions Question 08

Practice the full AWS SAA-C03 Practice Exam 3

65 questions · hints · full answers · grading

More questions from this exam

Q01A company stores sensitive documents in an Amazon S3 bucket. The security team requires that only...Easy Q02A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to...Medium Q03A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (AL...Easy Q04A company wants to continuously monitor its AWS accounts for malicious activity and unauthorized ...Medium Q05A company needs to encrypt data at rest in Amazon RDS and manage database credentials securely. T...Medium

View all 65 questions →