AWS Certified Cloud Practitioner

Explanation

Security groups act as virtual firewalls for EC2 instances and control inbound and outbound traffic at the instance level. Here's why this is the correct answer:

• Instance-level protection: Security groups are associated with individual EC2 instances and provide granular control over traffic to and from that specific instance
• Stateful filtering: Security groups are stateful, meaning if you allow inbound traffic, the corresponding outbound traffic is automatically allowed
• Default deny: Security groups deny all traffic by default, and you must explicitly allow the traffic you want

Why the other options are incorrect:

• NAT gateway: Provides internet connectivity for private subnets but doesn't function as a firewall for individual instances
• Network ACL: Operates at the subnet level (not instance level) and provides stateless filtering for all instances in a subnet
• Route table: Controls traffic routing between subnets and to external networks, but doesn't provide firewall functionality

Security groups are the appropriate choice when you need firewall protection specific to individual EC2 instances.