ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.2: Secure WorkloadsSecurityVPCNACLSecurity Groups

AWS SAA-C03 · Question 14 · Domain 1.2: Secure Workloads

A company is deploying a new application on Amazon EC2 instances. The security team requires that all network traffic to and from the instances be strictly controlled. Specifically, they want to block traffic from a known malicious IP address at the subnet level, and only allow HTTP/HTTPS traffic to the instances. <br/><br/>Which TWO actions should the solutions architect take? (Select TWO.)

Answer options:

A.

Create a Network ACL and add a deny rule for the malicious IP address.

B.

Configure a Security Group to deny traffic from the malicious IP address.

C.

Configure a Security Group to allow inbound HTTP and HTTPS traffic and attach it to the EC2 instances.

D.

Create an AWS WAF rule to block the malicious IP address and attach it to the EC2 instances.

E.

Modify the VPC Route Table to route traffic from the malicious IP to a blackhole.

How to approach this question

Remember that NACLs are stateless and support DENY rules, while Security Groups are stateful and only support ALLOW rules.

Full Answer

Create a Network ACL and add a deny rule for the malicious IP address.<br/>Configure a Security Group to allow inbound HTTP and HTTPS traffic and attach it to the EC2 instances.
Network ACLs (NACLs) act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level. They support explicit DENY rules. Security Groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. They only support ALLOW rules.

Common mistakes

Trying to use a Security Group to explicitly deny an IP address.
13All questions15

Practice the full AWS SAA-C03 Practice Exam 4

65 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...MediumQ02An application running on Amazon EC2 instances needs to access an Amazon DynamoDB table. Both res...EasyQ03A company is designing a web application that will be hosted on AWS. The application will use an ...MediumQ04A company is building a mobile app that requires users to authenticate using their social media a...HardQ05A solutions architect is designing a VPC for a three-tier web application. The database tier must...Medium
View all 65 questions →