A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.
Which solution will meet this requirement?
To block traffic to an external IP address, creating a network ACL and adding an outbound deny rule for traffic to the external IP address is the appropriate solution. Network ACLs operate at the subnet level and can be used to explicitly allow or deny traffic based on rules. Creating a deny rule will block the specified traffic from the EC2 instance to the external IP address. Security groups, on the other hand, are stateful and are used primarily to allow traffic, not to block it. VPC flow logs with Amazon Athena are used for monitoring and logging network activity but do not have the capability to block traffic.
Security groups are out because you allow traffic using security groups not block. VPC flow logs with Athena? How can that help? And the ACL outbound rule to block the IP? ACL makes the most sense because if the IP is the destination the outbound rule to block will do. However it would make more sense to modify existing ACL because a subnet can be associated with only one ACL. So I am going to say C is the correct one.
Answer is C, ACL is the only way to block outbound traffic
C only 100%
C. Create a network ACL. Add an outbound deny rule for traffic to the external IP address. Explanation: Network Access Control Lists (NACLs) are used to control the traffic entering and exiting subnets in a VPC. They operate at the subnet level and are stateless, meaning that both inbound and outbound rules must be explicitly defined. By adding an outbound deny rule for traffic to the specific external IP address identified by GuardDuty, you can block any communication from the EC2 instance to that IP address.
Option A (Create a new security group to block traffic to the external IP address and assign it to the EC2 instance) is incorrect because security groups control inbound and outbound traffic to and from an EC2 instance, but they cannot be used to block traffic to external IP addresses. They only allow you to specify allowed traffic based on ports and protocols. Option B (Use VPC flow logs with Amazon Athena to block traffic to the external IP address) is incorrect because VPC flow logs do not have the capability to block traffic. They are used for monitoring and logging network traffic, but they cannot be used for active traffic control. Option D (Create a new security group to block traffic to the external IP address and assign it to the entire VPC) is incorrect because, like in Option A, security groups are not meant to block traffic to specific external IP addresses. Assigning the security group to the entire VPC will not achieve the goal of blocking traffic to the specific IP address identified by GuardDuty.
why not A. security group can only allow traffic. why C. NACL deny/allow traffic by creating new one.
C, best way to block outbound traffic, but I'm not sure why you need to create a new NACL instead of add the rule to the existing one