AIncorrect
Security group
A security group operates statefully at the instance level and sets allow rules only.
It is not a stateless feature that can set deny rules at the subnet level, so it is incorrect.
Which stateless firewall feature controls traffic at the subnet level and lets you set explicit deny rules in addition to allow rules?
1 / 1
Select an answer
CorrectC
Explanation
A question asking for the subnet-level, stateless firewall that can deny traffic.
- 1「subnet level」Control at the subnet boundary = NACL
- 2「set explicit deny rules」Can write deny as well as allow (a NACL trait)
- 3「stateless」Return traffic also needs explicit rules
BIncorrect
Route table
A route table determines routes (destination and target) and does not decide whether traffic is allowed or denied.
It is not a firewall feature, so it is incorrect.
CCorrect
Network ACL (NACL)
Correct. A network ACL (NACL) is a stateless firewall that controls traffic at the subnet level. It can set explicit deny rules in addition to allow rules and block unwanted traffic at the subnet boundary. Because it is stateless, rules for return traffic must also be defined explicitly.
DIncorrect
IAM policy
An IAM policy defines permissions for AWS API operations (who can do what).
It is not a feature that controls network traffic at the subnet level, so it is incorrect.
Key Takeaway
NACL = subnet level, stateless, both allow and deny. Security group = instance level, stateful, allow only. This contrast is common.