Denying Access to Specific IP Addresses in AWS VPC: Methods and Best Practices

Denying Access to Specific IP Addresses in AWS VPC

Question

There are currently multiple applications hosted in a VPC.

During monitoring, it has been noticed that multiple port scans are coming in from specific IP addresses on the internet.

The internal security team has requested that all offending IP Addresses be denied for the next 24 hours.

Which of the following can be used to deny access from the specific IP addresses?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

Option A is incorrect because you cannot perform such an operation in ELB.Option B is CORRECT because you can modify the web ACL to block requests from the IP addresses.

Option C is incorrect because Security Groups cannot be configured to block traffic from IP addresses.

Only "Allow" can be configured in Security Groups.

Option D is incorrect because you cannot block the traffic based on IP addresses in Route 53.

For more information on WAF, please visit the below URL:

https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html

The correct answer to this question is B. Modify the web ACL to deny the incoming requests from the IP addresses.

Explanation:

A Web Application Firewall (WAF) is a security feature that allows you to configure rules to block or allow incoming traffic based on specific conditions. In this case, modifying the WAF's Access Control List (ACL) is the best option to deny access from specific IP addresses.

Option A, adding a blacklist of IP addresses in the Elastic Load Balancer, is not the best solution because it only blocks traffic to the load balancer, not to the underlying resources in the VPC.

Option C, adding a rule to all of the VPC Security Groups to deny access from the IP Address block, is not recommended because it is a time-consuming task and is not scalable, especially when the number of IP addresses to block is high.

Option D, adding a blacklist of IP addresses in Route 53 to block the traffic, is incorrect because Route 53 is a DNS service that resolves domain names to IP addresses and cannot block IP addresses directly.

In summary, modifying the Web ACL to deny incoming requests from the IP addresses is the most appropriate and scalable solution for this scenario.