Which statement correctly differentiates security groups and Network ACLs?

• A. Security groups are stateless, subnet-level filters; NACLs are stateful, instance-level firewalls.
• B. Security groups are stateful, instance-level firewalls; NACLs are stateless, subnet-level filters.
• C. Both are the same and interchangeable.
• D. NACLs are only for outbound filtering.

Answer: (B)

Security groups are stateful, instance-level firewalls; NACLs are stateless, subnet-level filters. This distinction matters because a security group attached to an instance tracks connections, so if inbound traffic is allowed, the return traffic is automatically allowed outbound as part of that same connection. They apply to the instance’s network interfaces, and you can assign multiple security groups to an instance for flexible permission sets. NACLs, by contrast, operate at the subnet boundary and apply to all traffic entering or leaving the subnet, with rules evaluated in order. Since they are stateless, you must explicitly permit both directions for a given flow, as responses aren’t auto-allowed. This difference in scope (instance vs subnet) and statefulness (stateful vs stateless) is what makes the stated differentiation correct. The other descriptions don’t fit because they swap where the filtering happens or misstate whether the filtering is stateful or stateless.