Which statement best describes the roles of security groups, firewalls, and ACLs in a cloud network and their best practices?

At heart, cloud networks use layered traffic controls that operate at different points in the stack. Security groups act as the access filter for individual resources; they’re like small, resource-specific firewalls attached to each instance or service, controlling which traffic is allowed to reach or leave that resource. Firewalls provide broader policy enforcement across larger scopes, such as between networks or at the network edge, applying rules that govern traffic across multiple resources and segments. ACLs are applied at the subnet level, shaping traffic entering or leaving entire subnets and often operating in a more coarse-grained, stateless way that requires explicit inbound and outbound rules. The statement that ties these roles together and adds practical guidance is the one that says security groups control traffic to resources, firewalls provide broader policy enforcement, ACLs apply at the subnet level, and best practices include least privilege, restrict by IP, document changes, and monitor changes. This reflects how you should configure and manage access: grant only what’s necessary (least privilege), narrow access by IP to limit exposure, keep records of who changed what (document changes), and actively watch for and review changes (monitor changes) to prevent drift and unauthorized access. The other options misstate or incompletely capture how these controls operate. For example, security groups aren’t only at the network edge and firewalls are still needed in modern cloud setups; best practices certainly aren’t to allow wide access or skip auditing; and while ACLs do apply at the subnet level, that alone doesn’t describe their role or the full best-practice approach.