Review the below key points before moving onto the assessment work.
- Security Groups (SG)
Security Groups are stateful firewalls that we attach to our AWS resources, allowing us to control what network traffic is permitted to connect to that resource.
SGs are created with a default
ALLOWrule for outbound connections.
You cannot configure a SG with a
ALLOWrules. Any connection that is not permitted explicitly via an
ALLOWis rejected/denied via a (hidden) implicit
When multiple SGs are attached to a resource, one big list of rules is computed and evaluated at the time of a connection being made. If a single rule permits the connection via an
ALLOW, the connection is let through and evaluation stops.
An SG can reference other SG IDs in its list of rules, allowing you to abstract away subnet CIDR ranges in favour of SG IDs. If a rule
ALLOWs a connection from an SG ID, then any resource with that SG ID attached to it will be allowed to connect to the resource (on the specified ports via the specified protocols.)
- Network Access Control Lists (NACL)
Network ACLs are are non-stateful firewalls that we attach to our subnets. They act as a barrier on subnets to define what inbound or outbound traffic is permitted.
NACLs are not stateful, so you must define an
ALLOWrule in both directions for return traffic to work. One thing to consider here is the client's port is unknown at the time of defining these rules, so it's common to see all outbound traffic simply being permitted to particular CIDR ranges.
You can only attach one (
1) NACL to a subnet.
NACLs allow you to
DENYspecific traffic. This means you can explicitly prevent traffic with a
NACL rules are numbered, and the number represents the order in which rules are evaluated. This allows you to prioritise rules that are important to you to permit or prevent traffic before another rule gets a chance to potentially do the wrong thing.