Key Points#
Review the below key points before moving onto the assessment work.
- Security Groups (SG)
-
Security Groups are stateful firewalls that we attach to our AWS resources, allowing us to control what network traffic is permitted to connect to that resource.
SGs are created with a default
ALLOW
rule for outbound connections.You cannot configure a SG with a
DENY
rule, onlyALLOW
rules. Any connection that is not permitted explicitly via anALLOW
is rejected/denied via a (hidden) implicitDENY
.When multiple SGs are attached to a resource, one big list of rules is computed and evaluated at the time of a connection being made. If a single rule permits the connection via an
ALLOW
, the connection is let through and evaluation stops.An SG can reference other SG IDs in its list of rules, allowing you to abstract away subnet CIDR ranges in favour of SG IDs. If a rule
ALLOW
s a connection from an SG ID, then any resource with that SG ID attached to it will be allowed to connect to the resource (on the specified ports via the specified protocols.) - Network Access Control Lists (NACL)
-
Network ACLs are are non-stateful firewalls that we attach to our subnets. They act as a barrier on subnets to define what inbound or outbound traffic is permitted.
NACLs are not stateful, so you must define an
ALLOW
rule in both directions for return traffic to work. One thing to consider here is the client's port is unknown at the time of defining these rules, so it's common to see all outbound traffic simply being permitted to particular CIDR ranges.You can only attach one (
1
) NACL to a subnet.NACLs allow you to
ALLOW
andDENY
specific traffic. This means you can explicitly prevent traffic with aDENY
rule.NACL rules are numbered, and the number represents the order in which rules are evaluated. This allows you to prioritise rules that are important to you to permit or prevent traffic before another rule gets a chance to potentially do the wrong thing.