AWS Certified Security – Specialty — Question 7

A distributed web application is installed across several EC2 instances in public subnets residing in two Availability Zones. Apache logs show several intermittent brute-force attacks from hundreds of IP addresses at the layer 7 level over the past six months.
What would be the BEST way to reduce the potential impact of these attacks in the future?

Answer options

• A. Use custom route tables to prevent malicious traffic from routing to the instances.
• B. Update security groups to deny traffic from the originating source IP addresses.
• C. Use network ACLs.
• D. Install intrusion prevention software (IPS) on each instance.

Correct answer: D

Explanation

Installing intrusion prevention software (IPS) on each instance is the best solution as it can actively monitor and block malicious traffic in real-time, providing robust protection against brute-force attacks. While updating security groups and using network ACLs can help, they do not provide the same level of proactive threat detection and mitigation. Custom route tables would not effectively address the issue since they are more about directing traffic than preventing attacks.