AWS Certified SysOps Administrator – Associate — Question 128

A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.

Which solution will meet this requirement?

Answer options

• A. Create a new security group to block traffic to the external IP address. Assign the new security group to the EC2 instance.
• B. Use VPC flow logs with Amazon Athena to block traffic to the external IP address.
• C. Create a network ACL. Add an outbound deny rule for traffic to the external IP address.
• D. Create a new security group to block traffic to the external IP address. Assign the new security group to the entire VPC.

Correct answer: C

Explanation

The correct answer is C because a network ACL allows you to create specific rules for inbound and outbound traffic at the subnet level, making it effective for blocking traffic to a particular IP address. Option A is incorrect as security groups are stateful and do not provide outbound deny capabilities, while option B involves analysis rather than immediate blocking. Option D incorrectly suggests applying a security group to the entire VPC, which is not feasible for this scenario.