AWS Certified Cloud Practitioner Exam: Firewall for VPC and EC2 Instances

Firewall for VPC and EC2 Instances

Question

You have a set of EC2 Instances hosted on the AWS Cloud.

The EC2 Instances are hosting a web application.

Which of the following acts as a firewall to your VPC and the instances in it? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and C.

The AWS Documentation mentions the following.

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.

For more information on Security Groups, please refer to the following link:

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

For more information on Network Access Control Lists, please refer to the following link:

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

The two answers that act as a firewall to your VPC and the instances in it are:

A. Usage of Security Groups C. Usage of Network Access Control Lists

Explanation:

A Security Group is a virtual firewall that controls inbound and outbound traffic for one or more instances in a VPC. You can think of a security group as a set of firewall rules that control the traffic for your instance. In AWS, each instance must be associated with at least one security group. You can add rules to each security group that allow traffic to or from its associated instances. The rules of a security group are evaluated in the order in which they are created, and the first rule that matches traffic is applied. Security groups are stateful, meaning that any traffic allowed in is automatically allowed back out.

Network Access Control Lists (NACLs) are another security layer for your VPC that act as a stateless packet filter. NACLs are associated with subnets and evaluate inbound and outbound traffic based on rules that you define. Unlike security groups, NACLs evaluate traffic at the subnet level, and each subnet must be associated with one NACL. NACLs provide a more granular control over inbound and outbound traffic, but they are also more complex to configure and manage than security groups.

D. Usage of the Internet gateway: An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in a VPC and the internet. It provides a target in your VPC route tables for internet-routable traffic and performs network address translation (NAT) for instances that have been assigned public IP addresses. While an internet gateway allows traffic to flow in and out of your VPC, it does not act as a firewall to control or restrict that traffic.

B. Usage of AWS Config: AWS Config is a service that enables you to assess, audit, and evaluate the configuration of your AWS resources continuously. It helps you identify and respond to security and compliance risks across your resource inventory. While AWS Config can help you identify security risks and vulnerabilities, it is not a firewall service and does not control traffic flow or restrict access to your resources.