Answer: AWS WAF

## Explanation While AWS WAF is primarily designed for web application layer protection, it is the most appropriate choice among the given options for blocking access from a specific IP address in this scenario. ### Analysis of Options: - **AWS Shield**: Provides DDoS protection but is not designed for blocking specific IP addresses - **AWS Config**: Used for auditing and compliance monitoring of AWS resource configurations - **Amazon GuardDuty**: A threat detection service that identifies suspicious activity but does not actively block traffic - **AWS WAF**: A web application firewall that can block traffic based on IP addresses, geographic locations, and other criteria ### Why AWS WAF is Correct: 1. **IP-based blocking capability**: AWS WAF allows you to create rules to block requests from specific IP addresses 2. **Application layer protection**: Since the question mentions "application" running on EC2 instances, AWS WAF is suitable for protecting web applications 3. **Integration with web-facing services**: AWS WAF can be deployed with Application Load Balancer, CloudFront, or API Gateway to filter web traffic ### Important Note: In real-world scenarios, the most direct solution would be to modify **Security Groups** or **Network ACLs** to block the IP address at the network level. However, since these are not among the options provided, AWS WAF is the best available choice for application-level IP blocking in a certification context.

Author: Ritesh Yadav