ExpertMedium1 markMultiple Choice
AWS SAA-C03 · Question 13 · Domain 1.2: Secure Workloads
A company wants to secure its VPC network. They need to explicitly deny traffic from a specific malicious IP address from reaching their EC2 instances. Which TWO methods can be used to achieve this? (Select TWO.)
A company wants to secure its VPC network. They need to explicitly deny traffic from a specific malicious IP address from reaching their EC2 instances. Which TWO methods can be used to achieve this? (Select TWO.)
Answer options:
A.
Add a deny rule to the Security Group attached to the EC2 instances.
B.
Add a deny rule to the Network ACL associated with the subnet.
C.
Use AWS WAF to block the IP address if the traffic is HTTP/HTTPS via an ALB.
D.
Configure an AWS Transit Gateway to drop the packets.
E.
Modify the VPC Route Table to route the IP to a blackhole.
How to approach this question
Remember that Security Groups cannot have DENY rules. NACLs and WAF can.
Full Answer
Add a deny rule to the Network ACL associated with the subnet., Use AWS WAF to block the IP address if the traffic is HTTP/HTTPS via an ALB.
Network ACLs support explicit deny rules to block specific IPs. If the application is web-based, AWS WAF can also be used to block IPs.
Common mistakes
Selecting Security Groups, forgetting that they are default-deny and only accept ALLOW rules.
Practice the full AWS SAA-C03 Practice Exam 7
65 questions · hints · full answers · grading
More questions from this exam
Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team needs...MediumQ02An application runs on Amazon EC2 instances and needs to access an Amazon S3 bucket. What is the ...EasyQ03A company wants to implement federated access to the AWS Management Console for its employees usi...MediumQ04A company is building a mobile application that requires users to sign in using their social medi...EasyQ05A security team wants to enforce MFA for all IAM users before they can terminate EC2 instances. H...Medium