Logo
AWS Certified Cloud Practitioner / Question #1212 of 719

Question #1212

Which AWS service operates as a stateless firewall to regulate traffic at the subnet level of a VPC?

A

Security group
B

Network ACL
C

VPC Flow Logs
D

NAT Gateway

Explanation

The correct answer is B. Network ACL.

Why B is correct:
- Stateless: Network ACLs evaluate traffic rules without tracking connection state, requiring explicit inbound/outbound rules.
- Subnet-level: They apply to all instances within a subnet, providing a first layer of defense.

Why others are incorrect:
- A. Security group: Operates at the instance level (not subnet) and is stateful (automatically allows return traffic).
- C. VPC Flow Logs: A logging tool, not a firewall.
- D. NAT Gateway: Enables outbound internet access for private subnets but does not regulate traffic via firewall rules.

Key Points:
- Network ACLs = stateless + subnet-level.
- Security Groups = stateful + instance-level.
- Stateless firewalls require bidirectional rules for traffic.

Answer

The correct answer is: B