The VPC lesson says that specific IP addresses (say, of a malicious attacker) are blocked using Network ACLs and not a security group.
Why can’t this be done using a security group? Is this a guideline rather than an imposed restriction? If a guideline, why is it preferred to use ACL instead of security group for blocking specific IPs?
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-block-or-allow-ips/ says specific IPs can be blocked with a security group too.
Short answer is: you just can’t!
Security groups do not allow an explicit deny. There’s only an implicit deny, and you then specify what rules for allowed traffic. There is no way to make an explicit deny to a security group.
NACL’s are the TRUE firewalls to a service. Even from a security standpoint, it wouldn’t make sense to spend so much time blocking specific traffic to a single IP to every single device. This means unless you just have a blanket security group rule (ill-advised) you would have to go through a ton of Security Groups to remove this IP for every single one of them. Instead, by applying such a deny to the NACL, it applies to the entire subnet and everything within it.