## Network Access Control Lists and Security Groups ![[Pasted image 20240302180859.png]] _AI-generated image of security in the cloud._ ## SGs - **Purpose**: Virtual firewall for EC2. - **Scope**: Instance-level. - **Statefulness**: Stateful; auto-allow responses. - **Rules**: Only "allow" rules. - **Defaults**: Deny all inbound, allow all outbound. - **Change Impact**: Immediate. - **Evaluation**: All rules considered. - **EC2 Integration**: Auto-applied; multiple SGs/instance allowed. - **Limitations**: - Allow rules only. - Up to 5 SGs per EC2, 60 rules per SG. ## NACLs - **Purpose**: Security for VPC subnets. - **Scope**: Subnet-level. - **Statefulness**: Stateless; explicit rules for bidirectional traffic. - **Rules**: "Allow" and "deny". - **Defaults**: Allow all inbound/outbound. - **Change Impact**: Immediate. - **Evaluation**: Sequential by rule number. - **VPC Integration**: Auto-applies; one NACL per subnet. - **Limitations**: - 20 rules per NACL (increase upon request). - Stateless complexity. ## Order of Operations 1. **NACL Inbound Rules**. 2. **SG Inbound Rules**. 3. **SG Outbound Rules**, then **NACL Outbound Rules**. ## Best Practices - SGs for dynamic filtering at instance level. - NACLs for static filtering at subnet level. ## Default Settings & Customization - **Default NACL**: Editable, non-deletable, allows all traffic. Customization for subnet-specific traffic control. - **Default SG**: Editable, non-deletable, self-referencing inbound allow. Use custom SGs for specific control. ## Strategies & Management - Prefer custom SGs/NACLs for granularity. - Use default SG minimally; customize for broader needs. - Regular reviews to maintain security and operational efficiency.