Which of the following is the best method to quickly and temporarily deny access from the specified IP address block?

You are currently hosting multiple applications in a VPC and have logged numerous port scans
coming in from a specific IP address block. Your security team has requested that all access from
the offending IP address block be denied tor the next 24 hours.
Which of the following is the best method to quickly and temporarily deny access from the
specified IP address block?

You are currently hosting multiple applications in a VPC and have logged numerous port scans
coming in from a specific IP address block. Your security team has requested that all access from
the offending IP address block be denied tor the next 24 hours.
Which of the following is the best method to quickly and temporarily deny access from the
specified IP address block?

A.
Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny
access from the IP address block

B.
Modify the Network ACLs associated with all public subnets in the VPC to deny access from the
IP address block

C.
Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block

D.
Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your
organization uses in that VPC to deny access from the IP address block

Explanation:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

← Previous question

Next question →

Leave a Reply 16

Jack Ripper

B

Reply

Anuj

A.

It would be best to Block at Router Layer not instance on instance layer. ACL blocks on router level while security groups block on instance level.

Reply

hieuhtr

Why you chose A? Your explanation and your answer seem not match. Based on your explanation, it should be B

Reply

Rob

Then your answer is B, not A!
And its not about “router layer”, you actually don’t have access to the router. The question centers in “denying” and IP or IP’s, and the only way to do that is using NACLs.

So final Answer is B.

Reply

vamshi

Security Groups doesn’t have a deny rule for a specific IP Address.

Reply

Shailender Singh

B

Reply

fun4two

b

Reply

Mahesh Arban

B – Because I believe security groups are only used to allow access vs Network ACL are used to deny rule as well.

Reply

hieuhtr

B

A,D – Modifying Windows Firewall settings on all hosts/AMIs is not best VPC security best practice.
C – Security Group supports allow rules only
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
B – ACLs support both allow rules and deny rules. And setting at ACLs level is better best practice than setting at Security Group level.

Reply

NikiHeat

b

Reply

arijit2987

Has anyone taken this certification using these questions?

Reply

Hank Mort

the questions are very close to the actual exam. yes I have and they work. don’t rely on the answers though and do your research.

Reply

Stan

Answer is B to pass exam

Reply

ARUN MANGLICK

Ans : B

Reply

Viet Nguyen

B. Security group can’t have deny rule

Reply

Deepak

I have vallid dumps. Contact me on [email protected]

Reply