Exam AWS Certified Security - Specialty topic 1 question 253 discussion

I would go with A. anything that has o do with deny external source IP needs NACLS and not SG to block it.

The question is intentionally vague. What is the purpose of the phrase " TCP port remains open for long periods of time"?! And using "needs to stop all activity to this port from the external source" in the request, does that mean this specific source or "external source" in the general meaning? I would go with option B. By removing any inbound rule toward that specific port in the instance SG, that would fulfill the ask.

Security Group can't deny a source IP, allowing source IP though, like white list. NACL can deny source IP list black list.

NACL is for VPC and subnet, SG is for EC2. Since the question is asking to deny to inbound to EC2, the B is the best answer

"... remove the port from the inbound rule list" in Security Group is the way to go, otherwise entire subnet will be affected.

Security groups act as virtual firewalls for your instances. You can add inbound and outbound rules to control the traffic to and from instances. Adding a Deny entry in the inbound rule list for the specific port and the source IP addresses that are causing the issue will prevent traffic from that source to the specified port on the EC2 instance, while still allowing other traffic to the instance. This solution is targeted and efficient.

A is the only option that makes sense. An elastic network interface (ENI) is a logical networking component in an Amazon VPC that represents a virtual network card. However it has nothing to do with finding a resolution to the problem. Furthermore, the network ACL blocks unwanted traffic at the subnet level. Answer D is also a bad choice because creating a new network ACL is not necessary to resolve the problem. A

A. Security group rules are implicit deny, which means all traffic is denied unless an inbound or outbound rule explicitly allows it, which eliminates B and C. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html D is definitely a big nono, due to denying all traffic will affect the application being unavailable to other users.

"top all activity to this port from the external source " - this statement made me pick option A.

The best option for the given situation is to update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source IP addresses. This will allow the application to remain available to other users while blocking any traffic from the external source to the open TCP port. Option A, which is to update the network ACL that is attached to the subnet that is associated with the EC2 instance, would not meet the requirements because the ACL is for the entire subnet and not just the EC2 instance.

Not sure why comments keeping mentioning that B states 'deny entry' when it doesn't? Option A, Updating the network ACL that is attached to the subnet that is associated with the EC2 instance by adding a Deny statement for the port and the source IP addresses, would not be an effective method as network ACLs operate at the subnet level, not the instance level, and would block all traffic to the entire subnet, not just the specific port.

A: Deny traffic to the instance from the source IP is correct (will only block traffic from that IP) B: You cannot explicitly deny anything in an SG. Only allow statements C: bogus D: that answer will basically make the instance unusable. Deny all traffic from the instance??? Eh no.

Question says PORT and not any specific IP thus it has to be B and not A as A can impact working of other applications

B is correct. The question specifically asks to block the port for the instance. A will impact other applications within the subnet.

I would go for A as well.

A is right

Block External Source IP = NACL is the man for the job