AWS Certified Cloud Practitioner — Question 438

Which AWS tool acts as a firewall to control traffic in and out of subnets within a VPC?

Answer options

• A. Security group
• B. Route table
• C. VPC endpoint
• D. Network access control list (ACL)

Correct answer: D

Explanation

A Network Access Control List (NACL) acts as a stateless firewall that controls traffic entering and leaving one or more subnets within an AWS VPC. In contrast, security groups function as stateful firewalls at the instance level rather than the subnet level. Route tables simply direct traffic, while VPC endpoints enable private connections to AWS services without leaving the Amazon network.