AWS Certified SysOps Administrator – Associate (legacy) — Question 408

Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you
______ .

Answer options

• A. can specify allow rules as well as deny rules
• B. can neither specify allow rules nor deny rules
• C. can specify allow rules, but not deny rules
• D. can specify deny rules, but not allow rules

Correct answer: C

Explanation

AWS VPC security groups are stateful and support allow rules only, meaning any traffic that is not explicitly allowed is denied by default. Unlike Network Access Control Lists (NACLs), which support both allow and deny rules, security groups do not allow you to write explicit deny rules.