You have an instance setup in a test environment in AWS. You installed the required application and promoted the server to a production environment. Your IT Security team has advised that since yesterday there have been some traffic flowing in from an unknown IP address to port 22. Which of the following methods is the most suitable to mitigate the threat?

Answer options:

A.Terminate the instance.
B.Modify the inbound rule of the security group to only allow the known IP addresses.
C.Change the AWS Shield rule to block this IP address.
D.In the instance, stop the sshd process to prevent any unexpected SSH access.

Answer is B
Option A is incorrect because terminating a production instance is not a recommended best practice.
Option B is CORRECT because the security group inbound rule can be improved to block the SSH access from unknown IP addresses.
Option C is incorrect because AWS Shield is used for protecting against DDoS attacks. It cannot block an IP address in port 22.
Option D is incorrect because this method will stop any SSH access including the normal SSH traffic.
For more information on authorizing access to an instance, please visit the below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-connection-tracking