Mastering AWS Network Security: Security Groups and Network ACLs

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between stateful and stateless traffic filtering mechanisms in AWS.
• Configure Security Group (SG) rules to enforce the principle of least privilege at the resource level.
• Implement Network Access Control Lists (NACLs) to provide a secondary layer of perimeter security at the subnet level.
• Analyze complex traffic flows to determine where packets are being allowed or dropped.
• Design a defense-in-depth architecture using subnets, route tables, and firewalls.

Key Terms & Glossary

• Security Group (SG): A virtual firewall that acts at the instance level (e.g., EC2, RDS) to control inbound and outbound traffic.
• Network ACL (NACL): An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
• Stateful: A firewall property where if a request is allowed in, the response is automatically allowed out regardless of outbound rules (and vice versa).
• Stateless: A firewall property that does not track the state of connections; outbound response traffic must be explicitly allowed by a rule.
• Ephemeral Ports: Short-lived transport protocol ports used for TCP/UDP/SCTP communications, typically ranging from 1024–65535.

The "Big Idea"

In a cloud environment, location-based trust is insufficient. AWS network security relies on Defense in Depth. While Security Groups provide granular, resource-specific protection (the "Inner Guard"), Network ACLs provide a broad perimeter defense (the "Outer Gate"). Together, they ensure that even if one layer is misconfigured, the other can prevent unauthorized access, adhering to the Zero Trust model where no interaction is implicitly trusted.

Formula / Concept Box

Hierarchical Outline

1. VPC Infrastructure Foundation
   • Regional Scope: VPCs span all Availability Zones in a region.
   • Subnets: AZ-specific partitions; used to isolate resources (Public vs. Private).
2. Network Access Control Lists (NACLs)
   • Perimeter Security: Acts as a gatekeeper for the entire subnet.
   • Stateless Nature: Requires explicit rules for both Request and Response traffic.
   • Default Behavior: Default NACL allows all traffic; custom NACLs deny all traffic until rules are added.
3. Security Groups (SGs)
   • Micro-segmentation: Protects individual instances or ENIs.
   • Stateful Nature: Response traffic is tracked and automatically permitted.
   • Referential Rules: Can use other Security Groups as a source/destination (Logical grouping).

Visual Anchors

Traffic Filtering Flow

Network Layering Diagram

\begin{tikzpicture}[node distance=2cm, every node/.style={font=\small}] \draw[thick, dashed] (0,0) rectangle (8,5) node[pos=0.9, above] {VPC}; \draw[fill=blue!10] (0.5,0.5) rectangle (7.5,4) node[pos=0.8, above] {Subnet};

\end{tikzpicture}

Definition-Example Pairs

• Stateful Filtering: If you allow SSH (Port 22) inbound, the server's response to your client is automatically allowed.
  • Example: An administrator connects to a Linux instance via SSH; the SG remembers the connection and lets the server send data back to the admin's PC.
• Stateless Filtering: You must define a rule to let the request in AND a rule to let the response out.
  • Example: If a NACL allows traffic on Port 80 (HTTP) inbound, you MUST also add an outbound rule for ports 1024-65535 to allow the web server to send data back to the client's ephemeral port.
• Implicit Deny: Any traffic not explicitly allowed by a rule is dropped.
  • Example: If your Security Group only allows Port 443, a request on Port 80 will be discarded immediately.

Worked Examples

Scenario: Securing a 2-Tier Web Application

Requirement: A public-facing Web Server (EC2) needs to talk to a private Database (RDS).

Step 1: Web Security Group (Web-SG)

• Inbound: Allow Port 443 (HTTPS) from 0.0.0.0/0.
• Outbound: Allow Port 3306 (MySQL) to DB-SG (Referential rule).

Step 2: Database Security Group (DB-SG)

• Inbound: Allow Port 3306 (MySQL) from Web-SG.
• Outbound: Deny All (No outbound needed for DB except updates).

Step 3: Network ACL (Subnet Level)

• Web Subnet Inbound: Rule 100: Allow Port 443 from 0.0.0.0/0.
• Web Subnet Outbound: Rule 100: Allow Port 1024-65535 to 0.0.0.0/0 (To allow responses to return to the clients).

Checkpoint Questions

1. Why does a custom NACL require an outbound rule for a web server to function, but a Security Group does not?
2. You have an application that is not responding to requests. You see the Security Group allows the traffic. What is the next network component you should check?
3. What is the main benefit of using a Security Group ID as a source in another Security Group rule rather than an IP address range?
4. A packet arrives at a subnet. Which is evaluated first: The NACL or the Security Group?

Muddy Points & Cross-Refs

• The Ephemeral Port Trap: The most common cause of NACL-related failures is forgetting to allow outbound traffic to ephemeral ports (1024-65535). Because NACLs are stateless, they don't know that the outbound packet is a response to a valid inbound request.
• Rule Ordering: In SGs, all rules are aggregated; there is no order. In NACLs, Rule 100 is processed before Rule 200. If Rule 100 is "Deny" and Rule 200 is "Allow," the traffic is denied.
• Cross-Refs: For more on how traffic moves between VPCs, see Transit Gateway (TGW) and VPC Peering modules.

Comparison Tables

Security Group vs. Network ACL Summary