Which solution addresses these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company’s Developers plan to migrate their on-premises applications to Amazon EC2 instances running Amazon Linux AMIs.The applications are accessed by a group of partner companies.The Security Engineer needs to implement the following host-based security measures for these instances:✑ Block traffic from documented known bad IP addresses.✑ Detect known software vulnerabilities and CIS Benchmarks compliance.

Which solution addresses these requirements?

Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to retrieve the list of bad IP addresses from AWS Secrets Manager, and uploads it as a threat list in Amazon GuardDuty. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create NACLs blocking ingress traffic from the known bad IP addresses in the EC2 instance’s subnets. Use AWS Systems Manager to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.

Launch the EC2 instances with an IAM role attached. Include a user data script that uses the AWS CLI to create and attach security groups that only allow an allow listed source IP address range inbound. Use Amazon Inspector to scan the instances for known software vulnerabilities, and AWS Trusted Advisor to check instances for CIS Benchmarks compliance.

Launch the EC2 instances with an IAM role attached. Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptables on the instances blocking the list of bad IP addresses. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Explanations:

While the solution addresses vulnerability scanning and compliance (via Amazon Inspector) and includes blocking of bad IPs through GuardDuty, GuardDuty does not directly block traffic from IP addresses, making this approach incomplete for the first requirement.

This option suggests using NACLs for blocking bad IPs, but creating NACLs dynamically via user data is impractical and error-prone. Additionally, AWS Systems Manager is not the ideal tool for vulnerability scanning in this context (Amazon Inspector is better suited).

Using security groups to allow or block IPs is valid, but security groups are stateful and won’t efficiently block bad IPs as needed. Also, AWS Trusted Advisor doesn’t specifically check for CIS Benchmark compliance, which is a more specialized requirement.

This option correctly uses iptables to block traffic from bad IPs based on an external list (S3) and periodically updates the list, which meets the first requirement. Amazon Inspector is correctly used for vulnerability scanning and CIS compliance checks, fulfilling the second requirement.

2025-10-15

1 Comment

  1. Diane
    Author

    From my point of view, the answer is:
    Launch the EC2 instances with an IAM role attached. Include a user data script that creates a cron job to periodically retrieve the list of bad IP addresses from Amazon S3, and configures iptables on the instances blocking the list of bad IP addresses. Use Amazon Inspector to scan the instances for known software vulnerabilities and CIS Benchmarks compliance.

Leave a Reply to Diane Cancel reply

Your email address will not be published. Required fields are marked *

5 × four =