AWS Certified Solutions Architect – Professional — Question 196

An organization is setting a website on the AWS VPC. The organization has blocked a few IPs to avoid a D-DOS attack.
How can the organization configure that a request from the above mentioned IPs does not access the application instances?

Answer options

• A. Create an IAM policy for VPC which has a condition to disallow traffic from that IP address.
• B. Configure a security group at the subnet level which denies traffic from the selected IP.
• C. Configure the security group with the EC2 instance which denies access from that IP address.
• D. Configure an ACL at the subnet which denies the traffic from that IP address.

Correct answer: D

Explanation

The correct answer is D, as configuring an ACL (Access Control List) at the subnet level is specifically designed to control traffic flow in and out of the subnet, effectively denying requests from the unwanted IP addresses. Options A and B are incorrect because IAM policies and security groups at the subnet level do not provide the same level of control for blocking IP addresses as an ACL does. Option C is also incorrect as it only pertains to traffic directed at the EC2 instance and does not manage subnet-level traffic.