🔥 3-day streak
AWS Certified Security - Specialty99 / 157
Question 99 of 157

A security engineer needs to permanently block a single known-malicious external IP address from reaching any resource across all subnets in a production VPC. The VPC contains dozens of subnets and hundreds of EC2 instances managed by multiple teams, and each team independently controls its own security groups. The engineer wants a solution that enforces the block centrally at the subnet boundary, cannot be overridden by individual application teams modifying security groups, and requires the least ongoing administrative effort. Which approach best meets these requirements?

Reviewed for accuracy · Report an issueNext question