nerdexam
Amazon

PAS-C01 · Question #134

A company hosts multiple SAP applications on Amazon EC2 instances in a VPC. While monitoring the environment, the company notices that multiple port scans are attempting to connect to SAP portals insi

The correct answer is A. Modify network ACLs that are associated with all public subnets in the VPC to deny access from. Network ACLs are the correct AWS-native control to block IP address ranges at the subnet level because, unlike security groups, they support explicit deny rules.

Operation and Maintenance of SAP Workloads on AWS

Question

A company hosts multiple SAP applications on Amazon EC2 instances in a VPC. While monitoring the environment, the company notices that multiple port scans are attempting to connect to SAP portals inside the VPC. These port scans are originating from the same IP address block. The company must deny access to the VPC from all the offending IP addresses for the next 24 hours. Which solution will meet this requirement?

Options

  • AModify network ACLs that are associated with all public subnets in the VPC to deny access from
  • BAdd a rule in the security group of the EC2 instances to deny access from the IP address block.
  • CCreate a policy in AWS Identity and Access Management (IAM) to deny access from the IP
  • DConfigure the firewall in the operating system of the EC2 instances to deny access from the IP

How the community answered

(43 responses)
  • A
    84% (36)
  • B
    2% (1)
  • C
    5% (2)
  • D
    9% (4)

Why each option

Network ACLs are the correct AWS-native control to block IP address ranges at the subnet level because, unlike security groups, they support explicit deny rules.

AModify network ACLs that are associated with all public subnets in the VPC to deny access fromCorrect

Network ACLs operate at the subnet level and support both allow and deny rules, making them the proper tool to block an offending IP address block across all resources in a VPC's public subnets. Adding a DENY rule to all associated public subnet NACLs will drop traffic from the offending IP range before it reaches any EC2 instance. This approach is centralized, stateless, and effective for temporary IP-based blocking.

BAdd a rule in the security group of the EC2 instances to deny access from the IP address block.

Security groups are stateful and only support allow rules - there is no mechanism to add an explicit deny rule in a security group, so blocking specific IP ranges is not possible through this method.

CCreate a policy in AWS Identity and Access Management (IAM) to deny access from the IP

IAM policies control AWS API access and permissions for AWS service resources, not network-level traffic flowing to EC2 instances inside a VPC.

DConfigure the firewall in the operating system of the EC2 instances to deny access from the IP

Configuring OS-level firewalls on each individual EC2 instance is not scalable, requires direct access to every instance, and is not a centralized or efficient AWS-native solution for this use case.

Concept tested: Network ACL deny rules for VPC IP blocking

Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

Topics

#Network ACLs#VPC Security#IP Blocking#Threat Response

Community Discussion

No community discussion yet for this question.

Full PAS-C01 Practice