A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet created with default ACL settings. The IT Security department has identified a DoS attack from a suspecting IP. How would you protect the subnets from this attack?

Answer options:

A.Change the Inbound Security Groups to deny access from the suspecting IP.
B.Change the Outbound Security Groups to deny access from the suspecting IP.
C.Change the Inbound NACL to deny access from the suspecting IP.
D.Change the Outbound NACL to deny access from the suspecting IP.

Correct Answer – C
Options A and B are invalid because the Security Groups block traffic by default. You can use NACLs as an additional security layer for the subnet to deny traffic.
Option D is invalid since just changing the Inbound Rules is sufficient.
AWS Documentation mentions the following.
A Network Access Control List (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups to add an additional layer of security to your VPC. 
For more information on Network Access Control Lists, please visit the following URL-
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html