Question 20
Domain 2: Security and ComplianceYou have been tasked with auditing the security of your VPC. As part of this process, you need to start by analyzing what inbound and outbound traffic is allowed on your EC2 instances. What two parts of the VPC do you need to check to accomplish this task?
Correct answer: D
Explanation
Security Groups are “a virtual firewall for EC2 instances to control incoming and outgoing traffic,” so they define instance-level inbound and outbound rules. Network ACLs are “a firewall layer on the subnet level” and are “stateless,” so checking both shows what traffic is allowed at the instance and subnet boundaries.
Why each option is right or wrong
A. Network ACLs and Traffic Manager.
B. Network ACLs and Subnets.
C. Security Groups and Internet Gateways.
D. Security Groups and Network ACLs.
The question asks for the VPC components that determine what inbound and outbound traffic is permitted for EC2 instances, which are the instance-level Security Groups and the subnet-level Network ACLs. Under AWS VPC networking, Security Groups are stateful and control traffic to EC2 instances, while NACLs are stateless, apply at the subnet boundary, and process numbered allow/deny rules in order with an implicit deny.