Mastering AWS Network Security: From Instances to Perimeter

This guide covers the essential security mechanisms within AWS networking, focusing on the layered defense model involving Security Groups, Network ACLs, and the AWS Network Firewall.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between stateful and stateless filtering mechanisms.
• Design a multi-layered security architecture using Security Groups, NACLs, and AWS Network Firewall.
• Identify the correct tool (WAF, Shield, or Network Firewall) for specific threat vectors like SQLi or DDoS.
• Configure and analyze VPC Flow Logs and Traffic Mirroring for auditing purposes.

Key Terms & Glossary

• Stateful Filtering: A security mechanism that tracks the state of connections. If an inbound request is allowed, the outbound response is automatically allowed, regardless of outbound rules.
• Stateless Filtering: A mechanism that does not track connection state. Rules must be explicitly defined for both inbound and outbound traffic flows.
• Ingress/Egress: Traffic entering (ingress) or leaving (egress) a resource or boundary.
• DDoS (Distributed Denial of Service): A malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
• PrivateLink: An AWS technology that provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network.

The "Big Idea"

[!IMPORTANT] Defense in Depth is the core philosophy of AWS Network Security. Security is not a single "door" but a series of checkpoints. You secure the Instance (Security Groups), the Subnet (NACLs), the Web Application (WAF), and the VPC Boundary (Network Firewall). If one layer is bypassed or misconfigured, the others provide redundant protection.

Formula / Concept Box

Hierarchical Outline

• I. Resource-Level Security
  • Security Groups (SGs): The first line of defense for EC2 instances.
    • Rule Limit: Primarily used to define "Trusted" sources (e.g., Allow port 80 from Load Balancer).
• II. Subnet-Level Security
  • Network Access Control Lists (NACLs): A coarse-grained security layer.
    • Rule 0: Use them to block specific CIDR ranges (Deny rules) that SGs cannot do.
• III. Perimeter & Application Security
  • AWS WAF: Layer 7 protection (HTTP/HTTPS) against web exploits.
  • AWS Shield: Layer 3/4 DDoS protection (Standard is free; Advanced is paid).
  • AWS Network Firewall: High-throughput Layer 3-7 filtering for VPC-to-VPC or VPC-to-Internet traffic.
• IV. Auditing and Visibility
  • VPC Flow Logs: Metadata about IP traffic.
  • Traffic Mirroring: Deep packet inspection (DPI) by copying ENI traffic to a security appliance.

Visual Anchors

Traffic Evaluation Flow

Layered Defense Architecture

\begin{tikzpicture}[node distance=1.5cm, every node/.style={draw, rectangle, align=center, rounded corners}] \node (ext) [fill=red!10] {External\Traffic}; \node (waf) [right of=ext, xshift=1cm, fill=orange!20] {AWS WAF$L7 Filter)}; \node (nfw) [right of=waf, xshift=1.5cm, fill=yellow!20] {Network Firewall$Perimeter)}; \node (nacl) [right of=nfw, xshift=1.5cm, fill=green!10] {NACL$Subnet)}; \node (sg) [right of=nacl, xshift=1.5cm, fill=blue!10] {Security Group$Instance)};

\end{tikzpicture}

Definition-Example Pairs

• Rule: Security Group Stateful behavior
  • Definition: When you initiate a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
  • Example: If you SSH (Port 22) into an EC2, the return traffic from the EC2 back to your laptop is automatically allowed, even if you have no "Outbound" rules defined for that specific connection.
• Rule: NACL Stateless behavior
  • Definition: Return traffic must be explicitly allowed by an outbound rule.
  • Example: If you allow inbound traffic on Port 80 in a NACL, you must also allow outbound traffic on ephemeral ports (usually 1024-65535) for the response to reach the client.

Worked Examples

Scenario: The "Invisible" Connection Block

Problem: An EC2 instance in a public subnet cannot be reached via HTTP (Port 80) despite the Security Group having an "Allow All" Inbound rule for Port 80.

Step-by-Step Breakdown:

1. Check Security Group: Inbound Port 80 is allowed. (Result: OK)
2. Check NACL Inbound: Rule 100 allows Port 80 from 0.0.0.0/0. (Result: OK)
3. Check NACL Outbound: Rule 100 allows traffic to 10.0.0.0/16 only. (Result: FAILURE)
4. Identification: Because NACLs are stateless, the return traffic from the EC2 to the Internet user (source IP outside 10.0.0.0/16) is being dropped at the NACL egress.
5. Solution: Add an outbound NACL rule to allow traffic to 0.0.0.0/0 on ephemeral ports.

Checkpoint Questions

1. If you need to block a single malicious IP address from hitting your web server, should you use a Security Group or a NACL?
2. True or False: AWS Network Firewall can perform deep packet inspection (DPI) and filter traffic based on domain names (FQDNs).
3. Which service provides protection specifically against SQL Injection and Cross-Site Scripting (XSS)?
4. What is the main difference between VPC Flow Logs and Traffic Mirroring?

▶Click for Answers

1. NACL (Security Groups do not support 'Deny' rules).
2. True.
3. AWS WAF (Web Application Firewall).
4. VPC Flow Logs capture metadata (IPs, Ports, Bytes); Traffic Mirroring captures the actual packet payload.

Muddy Points & Cross-Refs

• Ephemeral Ports: Students often forget that NACLs require these for return traffic. Refer to the OS documentation (Linux uses 32768-60999, Windows uses 49152-65535).
• Security Group Referencing: You can allow traffic from another Security Group ID instead of an IP range. This is a "Golden Nugget" for auto-scaling environments.
• WAF vs. Network Firewall: Use WAF for L7 (Web) logic; use Network Firewall for L3-L4 and non-HTTP protocols across the whole VPC.

Comparison Tables

AWS Firewall Services Comparison