AWS Certified Cloud Practitioner

Explanation

Network ACL (Network Access Control List) is the correct answer because:

• Network ACLs operate at the subnet level in Amazon VPC and can control both inbound and outbound traffic
• They are stateless - meaning return traffic must be explicitly allowed by outbound rules
• Network ACLs can be used to create firewall-like rules for entire subnets

Why the other options are incorrect:

• Security groups: These operate at the instance level (not subnet level) and are stateful
• AWS WAF: This is a web application firewall that protects web applications from common exploits, not VPC subnet traffic
• AWS Firewall Manager: This is a security management service that allows you to centrally configure and manage firewall rules across accounts and applications, but it's not the direct tool for setting up subnet-level firewalls

Network ACLs provide the fundamental firewall functionality for controlling traffic at the VPC subnet level in AWS.