AWS Certified Cloud Practitioner: Optional Security Layer for VPC Subnet Traffic Control

Optional Security Layer for VPC Subnet Traffic Control

Question

Which of the following is an optional Security layer attached to a subnet within a VPC for controlling traffic in & out of the VPC?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

Network ACL can be additionally configured on subnet level to control traffic in & out of the VPC.Option A is incorrect.

VPC Flow Logs will capture information about IP traffic in & out of VPC.

This will not be used for controlling purposes.

Option B is incorrect.

Web Application Firewall (WAF) can be configured to protect web applications from common security threats.

It can be deployed on devices such as Amazon CloudFront, Application Load Balancer and Amazon API Gateway.

Option C is incorrect.

Security Groups are attached at instance level & not at the subnet level.

For more information on security within VPC, refer to the following URL:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

The optional Security layer attached to a subnet within a VPC for controlling traffic in & out of the VPC is the Network Access Control List (NACL).

A Security Group is also used to control traffic in and out of the VPC, but it is attached to an instance level, not at the subnet level. A Web Application Firewall is used to protect web applications from common web exploits, such as SQL injection attacks and cross-site scripting attacks. VPC Flow Logs is used for capturing information about the IP traffic going to and from network interfaces in the VPC.

The Network ACL, on the other hand, is a stateless firewall that is attached to a subnet within a VPC. It is used to control inbound and outbound traffic at the subnet level. The rules in an NACL can allow or deny traffic based on the source and destination IP address, port number, and protocol. An NACL can be used to create more granular control over traffic flow in and out of a subnet than what is possible with Security Groups.

It is important to note that an NACL and a Security Group are two different things and can be used together to provide a multi-layered security approach to the VPC. While Security Groups control traffic at the instance level, an NACL provides a higher level of control over traffic flow at the subnet level.