ACorrect
A security group is stateful, and return traffic for allowed traffic is automatically permitted.
Correct. A security group operates statefully, and the return (outbound) traffic for allowed inbound traffic is automatically permitted.
Which statements about VPC network security are correct? (Choose TWO.)
1 / 1
Select all that apply
CorrectA, C
Explanation
A question asking to select two correct statements about VPC network security.
- 1「VPC network security」Tests correct understanding of SG/NACL/subnet characteristics.
BIncorrect
Resources placed in a private subnet can be accessed directly from the internet.
A private subnet has no direct route to the internet, so it cannot be accessed directly from outside.
The statement is wrong, so it is incorrect.
CCorrect
A network ACL can set explicit deny rules.
Correct. A network ACL can set explicit deny rules in addition to allow rules and block specific traffic at the subnet boundary.
DIncorrect
A security group sets explicit deny rules.
A security group sets allow rules only and cannot set explicit deny rules.
It is the NACL that can set explicit deny rules, so the statement is wrong and it is incorrect.
EIncorrect
Even with a VPC, you cannot isolate resources at the network level.
A VPC provides a logically isolated network, and you can isolate resources with subnets and routing.
The claim that you cannot isolate is wrong, so it is incorrect.
Key Takeaway
Key points: SG = stateful, allow only / NACL = stateless, allow + deny / private subnet = no direct access from outside / VPC = logical network isolation.