A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet created with default Network ACL settings. The IT Security department has a suspicion that a DoS attack is coming from a suspecting IP. How can you protect the subnets from this attack?

Answer options:

A.Change the Inbound Security Groups to deny access from the suspecting IP.
B.Change the Outbound Security Groups to deny access from the suspecting IP.
C.Change the Inbound NACL to deny access from the suspecting IP.
D.Change the Outbound NACL to deny access from the suspecting IP.

Answer: C
Options A and B are incorrect because the Security Group works on the Instance level and not the Subnet level. You cannot configure a Security Group to deny access.
Option C is CORRECT because restricting the inbound NACL is the solution to deny access for the suspecting IP address. A network access control list (Network ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
Option D is incorrect because restricting inbound access needs to restrict the port & IP on the inbound NACL rule. The outbound rule is basically for accessing anything from within the subnet to the outside of the subnet (e.g., Internet).
For more information on Network Access Control Lists, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html