How can the organization configure that a request from the above mentioned IPs does not access the application instances?
Create an IAM policy for VPC which has a condition to disallow traffic from that IP address.
Configure a security group at the subnet level which denies traffic from the selected IP.
Configure the security group with the EC2 instance which denies access from that IP address.
Configure an ACL at the subnet which denies the traffic from that IP address.
Explanations:
IAM policies control permissions for AWS resources, not network traffic. They cannot be used to block IP addresses from accessing applications in a VPC.
Security groups operate at the instance level, not at the subnet level. They can restrict traffic to EC2 instances but cannot deny traffic at the subnet level.
While a security group can be configured to allow or deny traffic, it only allows for rules to permit access. Security groups cannot explicitly deny traffic; they can only specify allowed sources.
Network ACLs (Access Control Lists) operate at the subnet level and can explicitly deny traffic from specified IP addresses, making them suitable for blocking unwanted requests.
I rank that the answer is:
Configure an ACL at the subnet which denies the traffic from that IP address.