AWS Certified Solutions Architect – Associate (SAA-C03) — Question 478

A company operates a two-tier application for image processing. The application uses two Availability Zones, each with one public subnet and one private subnet. An Application Load Balancer (ALB) for the web tier uses the public subnets. Amazon EC2 instances for the application tier use the private subnets.

Users report that the application is running more slowly than expected. A security audit of the web server log files shows that the application is receiving millions of illegitimate requests from a small number of IP addresses. A solutions architect needs to resolve the immediate performance problem while the company investigates a more permanent solution.

What should the solutions architect recommend to meet this requirement?

Answer options

• A. Modify the inbound security group for the web tier. Add a deny rule for the IP addresses that are consuming resources.
• B. Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.
• C. Modify the inbound security group for the application tier. Add a deny rule for the IP addresses that are consuming resources.
• D. Modify the network ACL for the application tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.

Correct answer: B

Explanation

Security groups in AWS are stateful and support allow rules only, meaning explicit IP blocking must be performed using network ACLs which support both allow and deny rules. Because the illegitimate traffic first enters the public subnets where the Application Load Balancer (ALB) resides, applying an inbound deny rule to the web tier's network ACL will block the malicious traffic at the subnet boundary before it impacts the application. Blocking the traffic at the application tier subnets would be ineffective because the web tier ALB would still be overwhelmed processing the millions of requests.