For Individuals For Educators

Ace your certifications with Practice Exams and AI assistance.

Browse Exams
For Educators
Blog

Privacy Policy
Terms of Service
Cookie Policy
Support

AWS SAA Exam Prep
PMI PMP Exam Prep
CPA Exam Prep
GCP PCA Exam Prep

© 2026 TinyHive Labs. Company number 16262776.

Practice AWS Solutions Architect Associate (SAA-C03)AWS SAA-C03 Practice Exam 7Question 13

Medium1 markMultiple Choice

Domain 1.2: Secure WorkloadsSecurityNACLWAF

AWS SAA-C03 · Question 13 · Domain 1.2: Secure Workloads

A company wants to secure its VPC network. They need to explicitly deny traffic from a specific malicious IP address from reaching their EC2 instances. Which TWO methods can be used to achieve this? (Select TWO.)

Answer options:

A.

Add a deny rule to the Security Group attached to the EC2 instances.

B.

Add a deny rule to the Network ACL associated with the subnet.

C.

Use AWS WAF to block the IP address if the traffic is HTTP/HTTPS via an ALB.

D.

Configure an AWS Transit Gateway to drop the packets.

E.

Modify the VPC Route Table to route the IP to a blackhole.

How to approach this question

Remember that Security Groups cannot have DENY rules. NACLs and WAF can.

Full Answer

Network ACLs support explicit deny rules to block specific IPs. If the application is web-based, AWS WAF can also be used to block IPs.

Common mistakes

Selecting Security Groups, forgetting that they are default-deny and only accept ALLOW rules.

Question 12 All questions Question 14

Practice the full AWS SAA-C03 Practice Exam 7

65 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team needs...Medium Q02An application runs on Amazon EC2 instances and needs to access an Amazon S3 bucket. What is the ...Easy Q03A company wants to implement federated access to the AWS Management Console for its employees usi...Medium Q04A company is building a mobile application that requires users to sign in using their social medi...Easy Q05A security team wants to enforce MFA for all IAM users before they can terminate EC2 instances. H...Medium

View all 65 questions →