Amazon Exam PAS-C01 Topic 1 Question 52 Discussion

Actual exam question for Amazon's PAS-C01 exam

Question #: 52
Topic #: 1

A company hosts multiple SAP applications on Amazon EC2 instances in a VPC While monitoring the environment the company notices that multiple port scans are attempting to connect to SAP portals inside the VPC. These port scans are originating from the same IP address block. The company must deny access to the VPC from all the offending IP addresses for the next 24 hours.

Which solution win meet this requirement?

AModify network ACLs that are associated with all public subnets in the VPC to deny access from the IP address block

BAdd a rule in the security group of the EC2 instances to deny access from the IP address block

CCreate a policy in AWS identity and Access Management (1AM) to deny access from the IP address block

DConfigure the firewall m the operating system of the EC2 instances to deny access from the IP address block

Show Suggested Answer

Suggested Answer: C, D, F

https://docs.aws.amazon.com/whitepapers/latest/sap-on-aws-technical-deployment-guide/security.html https://docs.aws.amazon.com/whitepapers/latest/sap-on-aws-technical-deployment-guide/sap-monitoring.html

by Donte at Jan 22, 2025, 03:38 PM

Limited Time Offer

25%

Off

Get Premium PAS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Kayleigh

29 days ago

Hmm, I wonder if the company has tried turning it off and on again? Just kidding, but seriously, these port scans sound like a real headache. I hope they find a quick fix!

upvoted 0 times

Alonso

1 days ago

D: Configuring the firewall in the operating system could be another way to deny access.

upvoted 0 times

...

Lamonica

8 days ago

C: Creating a policy in AWS IAM might be a good option too.

upvoted 0 times

...

Tish

11 days ago

B: Yeah, adding a rule in the security group of the EC2 instances could also work.

upvoted 0 times

...

Rebbecca

13 days ago

A: I think modifying the network ACLs in the VPC is the best solution.

upvoted 0 times

...

Tran

1 months ago

D? Really? Configuring the firewall on each individual EC2 instance sounds like a lot of work. I'd avoid that and go for a more centralized solution.

upvoted 0 times

...

Filiberto

1 months ago

Option C is an interesting choice, but I'm not sure if an IAM policy is the best fit for this scenario. It might be overkill and could be more complex to manage.

upvoted 0 times

Billy

3 days ago

B: I agree with A. It's a straightforward solution to deny access.

upvoted 0 times

...

Jeffrey

18 days ago

A: I think option A is the best choice. Modifying network ACLs will block access from the offending IP address block.

upvoted 0 times

...

Leatha

2 months ago

I'd go with B. Updating the security group rules for the EC2 instances is a more targeted approach, and it's less likely to impact other resources in the VPC.

upvoted 0 times

Roselle

9 days ago

Agreed. It's important to minimize impact on other resources.

upvoted 0 times

...

Man

11 days ago

That makes sense. It's a focused solution.

upvoted 0 times

...

Dona

24 days ago

B) Add a rule in the security group of the EC2 instances to deny access from the IP address block

upvoted 0 times

...

Louvenia

2 months ago

Option A seems like the way to go. Modifying the network ACLs for the public subnets is the most effective way to deny access from the offending IP address block across the entire VPC.

upvoted 0 times