AWS Certified SAP on AWS – Specialty (PAS-C01) — Question 19

A company hosts multiple SAP applications on Amazon EC2 instances in a VPC. While monitoring the environment, the company notices that multiple port scans are attempting to connect to SAP portals inside the VPC. These port scans are originating from the same IP address block. The company must deny access to the VPC from all the offending IP addresses for the next 24 hours.
Which solution will meet this requirement?

Answer options

• A. Modify network ACLs that are associated with all public subnets in the VPC to deny access from the IP address block.
• B. Add a rule in the security group of the EC2 instances to deny access from the IP address block.
• C. Create a policy in AWS Identity and Access Management (IAM) to deny access from the IP address block.
• D. Configure the firewall in the operating system of the EC2 instances to deny access from the IP address block.

Correct answer: A

Explanation

The correct answer is A because modifying network ACLs effectively blocks traffic at the subnet level, which is necessary to prevent access from the specified IP address block. Option B is incorrect as security groups are stateful and would not be the best method for blocking traffic from multiple IP addresses for a specific duration. Option C is not applicable since IAM policies do not control network traffic. Option D would only block traffic at the instance level, not at the VPC level, making it less effective for the scenario presented.