How should the Administrator implement the restriction?
Edit the security group for the web servers and add a deny entry for the IP address
Edit the network access control list for the web server subnet and add a deny entry for the IP address
Edit the VPC route table to route the malicious IP address to a black hole
Use Amazon CloudFront’s geo restriction feature to block traffic from the IP address
Explanations:
Security groups are stateful, and they allow inbound and outbound traffic based on allow rules. They do not support deny entries, so blocking an IP address with a deny rule is not possible using a security group.
Network access control lists (NACLs) are stateless and allow the addition of both allow and deny rules. By adding a deny rule for the malicious IP in the NACL for the web server subnet, traffic from that IP can be blocked effectively.
Route tables control the routing of network traffic but do not directly block specific IP addresses. Routing an IP address to a black hole could be effective for some cases, but this is not the correct way to block traffic from an IP address in this context.
Amazon CloudFront’s geo restriction feature blocks traffic based on geographic location (country). It does not block traffic from specific IP addresses, so it is not suitable for blocking a single IP address.