Security Groups & Network ACLs: The SAA-C03 Guide
In the AWS ecosystem, network security is managed through a layered approach. For the SAA-C03 exam, understanding the distinction between Security Groups (SG) and Network Access Control Lists (NACL) is critical for designing secure, resilient architectures within a Virtual Private Cloud (VPC).
The Analogy: The Hotel Security System
Imagine a high-security hotel:
- Network ACL (The Perimeter Guard): This is the guard at the main gate. They have a list of everyone allowed in and everyone specifically banned. They check you when you enter AND when you leave. If you are on the “No-Fly” list, you can’t even get to the lobby.
- Security Group (The Room Key): This is the electronic lock on your specific room door. Once the guard lets you into the hotel, you can only enter your room if you have the specific key. If you open the door to go out, the lock remembers you and lets you back in automatically without re-checking your ID.
Core Concepts & The Well-Architected Framework
Under the Security Pillar of the AWS Well-Architected Framework, AWS emphasizes “Infrastructure Protection.” This involves Defense in Depth—using multiple layers of controls.
What and Why?
- Security Groups: Act as a virtual firewall for your instances (EC2, RDS, etc.). They control inbound and outbound traffic at the interface level.
- Network ACLs: Act as a firewall for the subnet. They provide an optional layer of security that acts as a gatekeeper for all traffic entering or leaving the entire subnet.
Comparison Table: SG vs. NACL
| Feature | Security Group (SG) | Network ACL (NACL) |
|---|---|---|
| Level | Instance Level (ENI) | Subnet Level |
| State | Stateful (Return traffic is allowed) | Stateless (Return traffic must be explicitly allowed) |
| Rules | Supports ALLOW rules only | Supports ALLOW and DENY rules |
| Evaluation | All rules evaluated before decision | Rules evaluated in chronological order (lowest # first) |
| Default State | Denies all inbound, allows all outbound | Default NACL allows all; Custom NACL denies all |
Scenario-Based Learning: Decision Matrix
If/Then Guide for Architects
- If you need to block a specific malicious IP address… Then use a Network ACL (because SGs don’t support DENY rules).
- If you want to allow web traffic to an EC2 instance… Then use a Security Group.
- If you are dealing with ephemeral ports for return traffic… Then remember NACLs require you to open them manually, while SGs handle them automatically (stateful).
- If you need to apply a rule to 50 instances in different subnets… Then use a Security Group and assign it to those instances.
Exam Tips: Golden Nuggets
- Stateful vs. Stateless: This is the #1 tested concept. If a packet is allowed Inbound via a Security Group, it is automatically allowed Outbound. NACLs require two separate rules.
- The “Deny” Distractor: If an exam question mentions “blocking a specific IP range,” look for “Network ACL” in the answer. Security Groups cannot block specific IPs; they can only “not allow” them.
- Rule Order: NACLs process rules starting from the lowest number. Once a match is found (Allow or Deny), it stops looking.
- Default Behavior: A new Security Group has no inbound rules (All Deny) and an “Allow All” outbound rule.
Visualizing VPC Traffic Flow
VPC: The foundation for both.
EC2: Primary user of SGs.
AWS WAF: Used for Layer 7 (HTTP) protection, whereas SG/NACL focus on Layers 3 & 4.
Ephemeral Ports: Forgetting to open ports 1024-65535 in NACLs for return traffic.
Rule Limits: SGs have a limit on the number of rules (default 60).
Web Tier: Allow 80/443 in SG. NACL allows 80/443 + Ephemeral Outbound.
DB Tier: Only allow traffic from the Web Tier SG (Referencing SG by ID).