AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 279

Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you ______ .

Answer options

• A. can specify allow rules, but not deny rules
• B. can specify deny rules, but not allow rules
• C. can specify allow rules as well as deny rules
• D. can neither specify allow rules nor deny rules

Correct answer: A

Explanation

AWS VPC security groups are stateful firewalls that only support allow rules, meaning any traffic not explicitly allowed is automatically blocked. Unlike Network Access Control Lists (NACLs), you cannot create explicit deny rules within a security group. Consequently, you can only specify which traffic is permitted to reach or leave your resources.