1. AWS Documentation: VPC User Guide - Network ACLs. This document states
"A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets." It also specifies under "Network ACL rules" that rules can either "ALLOW" or "DENY" traffic. The solution in option D correctly applies a DENY rule to the outbound traffic of the source subnet.
Source: AWS VPC User Guide
Section: "Control traffic to subnets using network ACLs"
Sub-section: "Network ACL rules".
2. AWS Documentation: VPC User Guide - Security groups. This document clarifies the function of security groups
stating
"A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic." Under "Security group rules
" it specifies
"Security group rules are always permissive; you can't create rules that deny access." This directly invalidates options A and B.
Source: AWS VPC User Guide
Section: "Control traffic to resources using security groups"
Sub-section: "Security group rules".
3. AWS Documentation: VPC User Guide - Compare security groups and network ACLs. This comparison table explicitly highlights the key differences. It shows that Security Groups operate at the instance level and support "Allow rules only
" while Network ACLs operate at the subnet level and support "Allow and deny rules." This confirms that a NACL is the correct tool for a deny action and that applying it to the source subnet's outbound traffic (as in option D) is the correct implementation.
Source: AWS VPC User Guide
Section: "Control traffic to resources using security groups"
Sub-section: "Compare security groups and network ACLs".