AWS Certified SysOps Administrator – Associate (legacy) — Question 552

Security has identified an IP address that should be explicitly denied for both ingress and egress requests for all services in an Amazon VPC immediately.
Which feature can be used to meet this requirement?

Answer options

Correct answer: C

Explanation

Network access control lists (NACLs) operate at the subnet level and support explicit deny rules for both inbound (ingress) and outbound (egress) traffic, making them the correct choice to block a specific IP address immediately. Security Groups do not support deny rules, only allow rules, meaning they cannot be used to explicitly block an IP. Host-based firewalls would require configuration on each individual instance rather than VPC-wide, and NAT Gateways are used for routing outbound traffic from private subnets, not for IP address filtering.