0
0
AWScloud~20 mins

Security groups vs NACLs decision in AWS - Practice Questions

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Security Groups vs NACLs Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding Security Groups and NACLs

Which statement correctly describes the main difference between Security Groups and Network ACLs (NACLs) in AWS?

ANACLs are stateful and control traffic for individual instances, while Security Groups are stateless and control traffic at the subnet level.
BSecurity Groups act as virtual firewalls for instances and are stateful, while NACLs are stateless and operate at the subnet level.
CBoth Security Groups and NACLs are stateful and operate at the instance level.
DSecurity Groups and NACLs both operate at the subnet level and are stateless.
Attempts:
2 left
💡 Hint

Think about where each one applies and whether they remember previous traffic.

Architecture
intermediate
2:00remaining
Choosing Between Security Groups and NACLs

You want to protect a public subnet in your VPC from unwanted inbound traffic but allow all outbound traffic. Which AWS feature should you configure primarily to block unwanted inbound traffic efficiently?

AConfigure only Security Groups to deny unwanted inbound traffic; NACLs are not needed.
BConfigure a Security Group with rules to deny unwanted inbound traffic and allow all outbound traffic.
CConfigure both Security Groups and NACLs to deny unwanted inbound traffic and allow all outbound traffic.
DConfigure a Network ACL with rules to deny unwanted inbound traffic and allow all outbound traffic.
Attempts:
2 left
💡 Hint

Consider which feature applies at the subnet level and can block traffic before it reaches instances.

security
advanced
2:00remaining
Impact of Stateless NACLs on Return Traffic

You have a NACL that allows inbound HTTP (port 80) traffic but does not explicitly allow outbound HTTP traffic. What will happen when a client tries to access a web server in the subnet?

AThe client will connect, but responses will be delayed due to NACL processing.
BThe client connection will fail because Security Groups block inbound HTTP traffic by default.
CThe client will not receive responses because NACLs are stateless and outbound HTTP traffic is blocked by default.
DThe client will successfully connect and receive responses because Security Groups allow return traffic automatically.
Attempts:
2 left
💡 Hint

Remember that NACLs are stateless and require explicit rules for both inbound and outbound traffic.

Best Practice
advanced
2:00remaining
Best Practice for Layered Security in AWS Networking

Which approach best follows AWS security best practices for controlling traffic to instances in a public subnet?

AUse NACLs to block unwanted inbound traffic and Security Groups to allow only necessary inbound traffic to instances.
BUse only Security Groups to control all inbound and outbound traffic to instances.
CUse Security Groups to block all inbound traffic and NACLs to allow only necessary inbound traffic to instances.
DUse only NACLs to control all inbound and outbound traffic at the subnet level.
Attempts:
2 left
💡 Hint

Think about defense in depth and where each control is applied.

service_behavior
expert
2:00remaining
Effect of Overlapping Rules in Security Groups and NACLs

You have a Security Group that allows inbound SSH (port 22) from anywhere and a NACL that denies inbound SSH from all IPs. What will be the result when you try to SSH into an instance in that subnet?

ASSH connections will be blocked because NACLs deny traffic before Security Groups allow it.
BSSH connections will succeed because Security Groups allow the traffic and are stateful.
CSSH connections will be allowed only if the instance is in a private subnet.
DSSH connections will fail due to conflicting rules causing a timeout.
Attempts:
2 left
💡 Hint

Consider the order in which AWS processes NACLs and Security Groups.