Which TWO of the following are valid ways to control inbound traffic to an EC2 instance? (Select TWO.)
NACLs are stateless firewalls applied at the subnet level.
Why this answer
Options A and D are correct because security groups are stateful firewalls for instances, and NACLs are stateless firewalls for subnets. Option B is wrong because IAM does not control network traffic. Option C is wrong because CloudWatch monitors, not controls.
Option E is wrong because KMS manages encryption keys.