d) allow all outbound traffic and deny all inbound traffic
By default, when Security Groups are created they do not have any default inbound rules, therefore denying all inbound traffic until inbound rules are added. They also include a default outbound rule that allows all outbound traffic. This rule can be removed and outbound rules can be added to allow specific outbound traffic. Video for reference: Elastic Cloud Compute
