ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 196 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 196
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.

Which solution will meet this requirement?

  • A. Create a new security group to block traffic to the external IP address. Assign the new security group to the EC2 instance.
  • B. Use VPC flow logs with Amazon Athena to block traffic to the external IP address.
  • C. Create a network ACL. Add an outbound deny rule for traffic to the external IP address.
  • D. Create a new security group to block traffic to the external IP address. Assign the new security group to the entire VPC.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by beznika at Dec. 18, 2022, 2:29 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
beznika
Highly Voted 2 years, 8 months ago
Security groups are out because you allow traffic using security groups not block. VPC flow logs with Athena? How can that help? And the ACL outbound rule to block the IP? ACL makes the most sense because if the IP is the destination the outbound rule to block will do. However it would make more sense to modify existing ACL because a subnet can be associated with only one ACL. So I am going to say C is the correct one.
upvoted 6 times
...
Yadong
Most Recent 1 week, 2 days ago
Selected Answer: C
Security group couldn't block a specific IP. It's deny all but allow rules.
upvoted 1 times
...
10cc6ba
1 year, 1 month ago
Selected Answer: C
C only 100%
upvoted 2 times
...
Christina666
2 years ago
Selected Answer: C
C. Create a network ACL. Add an outbound deny rule for traffic to the external IP address. Explanation: Network Access Control Lists (NACLs) are used to control the traffic entering and exiting subnets in a VPC. They operate at the subnet level and are stateless, meaning that both inbound and outbound rules must be explicitly defined. By adding an outbound deny rule for traffic to the specific external IP address identified by GuardDuty, you can block any communication from the EC2 instance to that IP address.
upvoted 1 times
Christina666
2 years ago
Option A (Create a new security group to block traffic to the external IP address and assign it to the EC2 instance) is incorrect because security groups control inbound and outbound traffic to and from an EC2 instance, but they cannot be used to block traffic to external IP addresses. They only allow you to specify allowed traffic based on ports and protocols. Option B (Use VPC flow logs with Amazon Athena to block traffic to the external IP address) is incorrect because VPC flow logs do not have the capability to block traffic. They are used for monitoring and logging network traffic, but they cannot be used for active traffic control. Option D (Create a new security group to block traffic to the external IP address and assign it to the entire VPC) is incorrect because, like in Option A, security groups are not meant to block traffic to specific external IP addresses. Assigning the security group to the entire VPC will not achieve the goal of blocking traffic to the specific IP address identified by GuardDuty.
upvoted 2 times
jipark
2 years ago
why not A. security group can only allow traffic. why C. NACL deny/allow traffic by creating new one.
upvoted 2 times
...
...
...
pepecastr0
2 years, 2 months ago
C, best way to block outbound traffic, but I'm not sure why you need to create a new NACL instead of add the rule to the existing one
upvoted 1 times
...
zolthar_z
2 years, 8 months ago
Selected Answer: C
Answer is C, ACL is the only way to block outbound traffic
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel