AWS Security groups and AWS VPC Network ACLs are 2 solutions for controlling traffic in VPCs.
When rules in either deny an IP packet, do they REJECT or DROP (in the iptables sense)?
That is: are packets silently dropped, or does the firewall respond with a RST/ACK (tcp) or ICMP Port Unreachable packet?
I ran some experiments here: https://github.com/turtlemonvh/aws-network-experiments
Traffic denied by either AWS security group rules and network ACLs behaves identically to traffic encountering an iptables DROP rule (vs REJECT or REJECT --reject-with tcp-reset). No response is sent in either case.