AWS Certified SysOps Administrator – Associate (legacy) — Question 691

You are currently hosting multiple applications in a VPC and have logged numerous port scans coming in from a specific IP address block. Your security team has requested that all access from the offending IP address block be denied for the next 24 hours.
Which of the following is the best method to quickly and temporarily deny access from the specified IP address block?

Answer options

• A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny access from the IP address block
• B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block
• C. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block
• D. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your organization uses in that VPC to deny access from the IP address block

Correct answer: B

Explanation

Network ACLs (NACLs) operate at the subnet level and support explicit "deny" rules, making them the quickest and most effective way to block a specific IP address block. Security Groups do not support "deny" rules, as they only allow traffic by default and deny everything else. Modifying host-based Windows Firewalls or AMIs is highly inefficient, slow to propagate, and complex compared to a centralized NACL change.