AWS Certified Cloud Practitioner — Question 435

Which AWS service or feature enables users to block the incoming or outgoing traffic associated with specific IP addresses flowing through a VPC?

Answer options

• A. Network ACLs
• B. Security groups
• C. AWS Identity and Access Management (IAM)
• D. AWS WAF

Correct answer: A

Explanation

Network ACLs operate at the subnet level and support both allow and deny rules, allowing users to explicitly block specific IP addresses. Security groups are stateful and only support allow rules, meaning they cannot be used to explicitly deny traffic. AWS IAM manages authentication and authorization, while AWS WAF is a web application firewall that operates at Layer 7, not at the VPC network level.