A company is designing a VPC for a multi-tier web application. They need to block specific malicious IP addresses from accessing the web servers, while allowing legitimate HTTPS traffic. Which TWO actions should the solutions architect take? (Select TWO.)

Answer options:

Add a deny rule for the malicious IPs in the Security Group.

Add a deny rule for the malicious IPs in the Network ACL.

Add an allow rule for port 443 (HTTPS) in the Security Group.

Configure AWS Shield Standard to block the specific IP addresses.

Use an IAM policy to deny access from the malicious IPs.

How to approach this question

Understand the difference between Security Groups (allow only, stateful) and Network ACLs (allow/deny, stateless).

Full Answer

Add a deny rule for the malicious IPs in the Network ACL., Add an allow rule for port 443 (HTTPS) in the Security Group.

Network ACLs operate at the subnet level and support explicit deny rules to block specific IPs. Security Groups operate at the instance level and only support allow rules to permit legitimate traffic.

Common mistakes

Trying to use Security Groups to deny traffic.

Question 02 All questions Question 04

Practice the full AWS SAA-C03 Practice Exam 5

65 questions · hints · full answers · grading

More questions from this exam

Q01A company needs to grant an external auditor read-only access to specific AWS resources. The audi...Easy Q02An application running on EC2 instances needs to access objects in an S3 bucket. The security tea...Medium Q04A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to...Hard Q05A company hosts a web application on an Application Load Balancer (ALB). They are experiencing SQ...Medium Q06A financial company requires that all data stored in Amazon S3 is encrypted at rest using keys ma...Hard

View all 65 questions →