Exam AWS Certified Cloud Practitioner CLF-C02 topic 1 question 59 discussion

Security groups: Act as a virtual firewall for instances, controlling inbound and outbound traffic. They are associated with instances and operate at the instance level. You can configure security group rules to allow or deny traffic based on IP addresses, port ranges, and protocols. Network ACLs: Are an additional layer of security for your VPC. They operate at the subnet level and are stateless, meaning they evaluate rules for inbound and outbound traffic separately. Network ACLs can be used to allow or deny traffic based on IP addresses, port ranges, and protocols. Amazon Virtual Private Cloud (Amazon VPC) flow logs: Capture information about the IP traffic going to and from network interfaces in a VPC. While they provide visibility into network traffic, they don't block or control traffic. Amazon CloudWatch: A monitoring service that collects and tracks metrics, logs, and events from various AWS resources. It is not used for blocking network traffic to an instance. AWS CloudTrail: Provides a record of actions taken by users, roles, or services within an AWS account. It does not block network traffic but helps in auditing and tracking API calls.

A. Security groups C. Network ACLs Security groups are stateful firewalls that control inbound and outbound traffic at the instance level. You can configure security groups to allow or deny specific types of network traffic to and from your instances. Network ACLs (Access Control Lists) are stateless firewalls that control traffic at the subnet level. Network ACLs define rules to allow or deny traffic based on source and destination IP addresses, ports, and protocols.

oth Security groups and Network ACLs are used to control and block network traffic to and from Amazon EC2 instances.

A. Security groups C. Network ACLs

Security Groups is just an ALLOW List, How can you block a traffic using Security group? Well whatever is not mentioned in security group is not allowed by Default :) Tricky huh

a and c is ok

A. Security groups C. Network ACLs Security groups are stateful firewalls that control inbound and outbound traffic at the instance level. You can configure security groups to allow or deny specific types of network traffic to and from your instances. Network ACLs (Access Control Lists) are stateless firewalls that control traffic at the subnet level. Network ACLs define rules to allow or deny traffic based on source and destination IP addresses, ports, and protocols.

A is obvious: it is applied at instance level and controls traffic at instance level. C is a bit tricky: NACL is applied at subnet level but it controls traffic based on source & destination. Here you can set a rule set for the instance both "in" (destination) and "out" (source)

Answers AC are Correct.

A: Security group limits access to the instance C: blocks network access on the subnet level