PAS-C01 · Question #134
A company hosts multiple SAP applications on Amazon EC2 instances in a VPC. While monitoring the environment, the company notices that multiple port scans are attempting to connect to SAP portals insi
The correct answer is A. Modify network ACLs that are associated with all public subnets in the VPC to deny access from. Network ACLs are the correct AWS-native control to block IP address ranges at the subnet level because, unlike security groups, they support explicit deny rules.
Question
A company hosts multiple SAP applications on Amazon EC2 instances in a VPC. While monitoring the environment, the company notices that multiple port scans are attempting to connect to SAP portals inside the VPC. These port scans are originating from the same IP address block. The company must deny access to the VPC from all the offending IP addresses for the next 24 hours. Which solution will meet this requirement?
Options
- AModify network ACLs that are associated with all public subnets in the VPC to deny access from
- BAdd a rule in the security group of the EC2 instances to deny access from the IP address block.
- CCreate a policy in AWS Identity and Access Management (IAM) to deny access from the IP
- DConfigure the firewall in the operating system of the EC2 instances to deny access from the IP
How the community answered
(43 responses)- A84% (36)
- B2% (1)
- C5% (2)
- D9% (4)
Why each option
Network ACLs are the correct AWS-native control to block IP address ranges at the subnet level because, unlike security groups, they support explicit deny rules.
Network ACLs operate at the subnet level and support both allow and deny rules, making them the proper tool to block an offending IP address block across all resources in a VPC's public subnets. Adding a DENY rule to all associated public subnet NACLs will drop traffic from the offending IP range before it reaches any EC2 instance. This approach is centralized, stateless, and effective for temporary IP-based blocking.
Security groups are stateful and only support allow rules - there is no mechanism to add an explicit deny rule in a security group, so blocking specific IP ranges is not possible through this method.
IAM policies control AWS API access and permissions for AWS service resources, not network-level traffic flowing to EC2 instances inside a VPC.
Configuring OS-level firewalls on each individual EC2 instance is not scalable, requires direct access to every instance, and is not a centralized or efficient AWS-native solution for this use case.
Concept tested: Network ACL deny rules for VPC IP blocking
Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Topics
Community Discussion
No community discussion yet for this question.