AWS Certified Cloud Practitioner

Explanation

Security Groups (Option A) and Network Access Control Lists (Option C) are the correct choices for reducing DDoS threats to EC2 instances.

Security Groups:

• Act as a virtual firewall for your EC2 instances
• Control inbound and outbound traffic at the instance level
• Can be configured to allow only necessary traffic, blocking unwanted DDoS traffic
• Provide stateful filtering - return traffic is automatically allowed regardless of rules

Network Access Control Lists (NACLs):

• Provide an additional layer of security at the subnet level
• Act as a stateless firewall for controlling traffic in and out of subnets
• Can be used to block specific IP ranges or protocols associated with DDoS attacks
• Offer rule-based filtering for both inbound and outbound traffic

Why other options are incorrect:

• AWS Config (Option B): A service for assessing, auditing, and evaluating AWS resource configurations, not for real-time DDoS protection
• Internet Gateway (Option D): A VPC component that enables communication between instances in your VPC and the internet, but doesn't provide DDoS mitigation capabilities

For comprehensive DDoS protection, AWS also recommends using AWS Shield and AWS WAF services in addition to Security Groups and NACLs.