Which solution will meet this requirement?

A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance.The GuardDuty finding lists a new external IP address as a traffic destination.The SysOps administrator does not recognize the external IP address.The SysOps administrator must block traffic to the external IP address that GuardDuty identified.

Which solution will meet this requirement?

Create a new security group to block traffic to the external IP address. Assign the new security group to the EC2 instance.

Use VPC flow logs with Amazon Athena to block traffic to the external IP address.

Create a network ACL. Add an outbound deny rule for traffic to the external IP address.

Create a new security group to block traffic to the external IP address. Assign the new security group to the entire VPC.

Explanations:

Security groups are stateful and do not support outbound deny rules. While creating a security group to block traffic is a step in the right direction, simply assigning it to the EC2 instance would not effectively block the traffic since the existing rules would take precedence.

VPC flow logs and Amazon Athena are primarily for monitoring and analyzing traffic, not for blocking it. This option does not provide a mechanism to deny access to the external IP address.

Creating a network ACL with an outbound deny rule for the suspicious external IP address effectively blocks all traffic to that IP. Network ACLs are stateless, meaning that they can explicitly deny traffic regardless of existing rules, making this option the most suitable solution.

Similar to option A, security groups cannot be used to create outbound deny rules. Additionally, applying the new security group to the entire VPC would not block traffic to the specified IP for instances that are already assigned different security groups.

Learn & move to cloud

Which solution will meet this requirement?

Explanations:

Leave a Reply Cancel reply