Exam AWS-SysOps topic 1 question 1 discussion

Exam question from Amazon's AWS-SysOps

Question #: 1
Topic #: 1

You are currently hosting multiple applications in a VPC and have logged numerous port scans coming in from a specific IP address block. Your security team has requested that all access from the offending IP address block be denied for the next 24 hours.
Which of the following is the best method to quickly and temporarily deny access from the specified IP address block?

A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny access from the IP address block
B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block
C. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block
D. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your organization uses in that VPC to deny access from the IP address block

Show Suggested Answer

Suggested Answer: B 🗳️
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

by FHU at May 14, 2021, 11:38 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

FHU

Highly Voted 3 years, 7 months ago

B is the correct answer. Network ACL is intended to be used as a firewall. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

upvoted 8 times

...

[Removed]

Highly Voted 8 months, 1 week ago

B is correct cause NACL is subnet level firewall and SG are Instance level firewall.

upvoted 7 times

...

BATSIE

Most Recent 1 year, 2 months ago

Selected Answer: B

subnet level- security group ip address level- nacl

upvoted 1 times

...

ft_cloud

1 year, 6 months ago