AWS Certified Cloud Practitioner (CLF-C02) — Question 442

A company runs many Amazon EC2 instances in its VPC. The company wants to use a native AWS security resource to control network traffic between certain EC2 instances.

Which AWS service or feature will meet this requirement?

Answer options

• A. Network ACLs
• B. AWS WAF
• C. Amazon GuardDuty
• D. Security groups

Correct answer: D

Explanation

Security groups act as a stateful virtual firewall for Amazon EC2 instances, controlling inbound and outbound traffic at the instance level. Network ACLs are stateless and operate at the subnet level, making them less suitable for controlling traffic between specific instances. AWS WAF protects web applications from common exploits, and Amazon GuardDuty is an intelligent threat detection service, neither of which directly manages instance-level traffic routing.