Key Points#

Review the below key points before moving onto the assessment work.

Security Groups (SG)

Security Groups are stateful firewalls that we attach to our AWS resources, allowing us to control what network traffic is permitted to connect to that resource.

SGs are created with a default ALLOW rule for outbound connections.

You cannot configure a SG with a DENY rule, only ALLOW rules. Any connection that is not permitted explicitly via an ALLOW is rejected/denied via a (hidden) implicit DENY.

When multiple SGs are attached to a resource, one big list of rules is computed and evaluated at the time of a connection being made. If a single rule permits the connection via an ALLOW, the connection is let through and evaluation stops.

An SG can reference other SG IDs in its list of rules, allowing you to abstract away subnet CIDR ranges in favour of SG IDs. If a rule ALLOWs a connection from an SG ID, then any resource with that SG ID attached to it will be allowed to connect to the resource (on the specified ports via the specified protocols.)

Network Access Control Lists (NACL)

Network ACLs are are non-stateful firewalls that we attach to our subnets. They act as a barrier on subnets to define what inbound or outbound traffic is permitted.

NACLs are not stateful, so you must define an ALLOW rule in both directions for return traffic to work. One thing to consider here is the client's port is unknown at the time of defining these rules, so it's common to see all outbound traffic simply being permitted to particular CIDR ranges.

You can only attach one (1) NACL to a subnet.

NACLs allow you to ALLOW and DENY specific traffic. This means you can explicitly prevent traffic with a DENY rule.

NACL rules are numbered, and the number represents the order in which rules are evaluated. This allows you to prioritise rules that are important to you to permit or prevent traffic before another rule gets a chance to potentially do the wrong thing.