Option B is correct. Security groups are stateful virtual firewalls attached to ENIs/instances. They permit only allow rules; any traffic not explicitly allowed is implicitly denied. You cannot add explicit deny rules. Options A and D are wrong because explicit deny rules are not supported, and security groups are attached to ENIs/instances rather than applied at the subnet level. Option C is wrong because security groups are stateful, so return traffic is automatically allowed without matching outbound rules.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Security Groups in AWS?
Open an interactive chat with Bash
What are Network Access Control Lists (ACLs)?
Open an interactive chat with Bash
How do the rules in Security Groups and ACLs differ?