Discover the key differences between AWS Security Groups and Network ACLs to understand which acts as a firewall for controlling subnet traffic in your VPC for the AWS Certified Cloud Practitioner CLF-C02 exam.
Table of Contents
Question
A company wants to establish a security layer in their VPC that will act as a firewall to control subnet traffic.
A. Routing tables
B. Network access control lists (network ACLs)
C. Security groups
D. Amazon GuardDuty
Answer
B. Network access control lists (network ACLs)
Explanation
Security groups are stateful firewalls that control inbound and outbound traffic at the instance level. You can associate them with each instance in a VPC and specify rules to allow or deny traffic. Routing tables direct traffic, network ACLs are stateless firewalls at the subnet level, and Amazon GuardDuty is a threat detection service.
In an Amazon Virtual Private Cloud (VPC), Network Access Control Lists (NACLs) serve as a firewall at the subnet level. They control both inbound and outbound traffic for the subnets they are associated with. NACLs are particularly useful when you need to apply security rules across an entire subnet, rather than individual instances.
Here’s why Network ACLs are the correct answer:
Subnet-Level Control
NACLs operate at the subnet level, making them ideal for controlling traffic entering or leaving a subnet. This aligns with the question’s requirement of establishing a security layer for controlling subnet traffic.
Stateless Filtering
NACLs are stateless, meaning you must explicitly define rules for both inbound and outbound traffic. For example, if an inbound rule allows traffic, you must also create an outbound rule to allow return traffic.
Support for Allow and Deny Rules
Unlike security groups, which only allow “allow” rules, NACLs provide more granular control by supporting both “allow” and “deny” rules. This can be critical for blocking specific IP addresses or protocols.
Why Not the Other Options?
A. Routing Tables:
Routing tables determine how traffic is directed within a VPC but do not act as firewalls or control access to resources.
C. Security Groups:
Security groups act as virtual firewalls at the instance level, controlling inbound and outbound traffic for individual EC2 instances. They are stateful (automatically allowing return traffic) and do not directly control subnet-level traffic.
D. Amazon GuardDuty:
GuardDuty is a threat detection service that monitors malicious activity but does not function as a firewall or control network traffic.
By understanding these distinctions, you can confidently choose the right tool for securing your AWS environment based on specific requirements. For AWS certification exams like the CLF-C02, it’s essential to grasp these concepts to answer scenario-based questions effectively.
Amazon AWS Certified Cloud Practitioner CLF-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Cloud Practitioner CLF-C02 exam and earn Amazon AWS Certified Cloud Practitioner CLF-C02 certification.