Aws security

AWS Security Groups and NACL

AWS Secu­ri­ty includes a set of attrib­ut­es, tools, or fea­tures that make the pub­lic cloud ser­vice provider Ama­zon Web Ser­vices (AWS) safe. Secu­ri­ty groups and the Net­work Access Con­trol List (NACL) are two wide­ly used tools. 

A secu­ri­ty group in AWS man­ages traf­fic to and from an EC2 instance using a set of inbound and out­bound rules. This indi­cates it defines instance-lev­el secu­ri­ty. An inbound rule, for exam­ple, may per­mit traf­fic from a sin­gle IP address to access the instance, where­as an out­bound rule may per­mit all traf­fic to leave the instance. Because secu­ri­ty groups oper­ate at the VPC instance lev­el, each secu­ri­ty group can be applied to one or more instances, also through sub­nets Fur­ther­more, each instance must be linked to one or more secu­ri­ty groups. To be more spe­cif­ic, a secu­ri­ty group is linked with a net­work inter­face that is affixed to an instance. AWS auto­mat­i­cal­ly cre­ates a default secu­ri­ty group for you when you cre­ate a VPC. A default secu­ri­ty group’s rules can be added and removed, but the secu­ri­ty group itself can­not be delet­ed. VPC is an abbre­vi­a­tion for Vir­tu­al Pri­vate Cloud, which can be thought of as a con­tain­er for data storage.

The Net­work Access Con­trol List, or NACL, is a secu­ri­ty fea­ture of the Ama­zon Web Ser­vices stack. NACL con­tributes to the secu­ri­ty of vpcs and sub­nets by act­ing as a fire­wall. It con­tributes to the pro­vi­sion of a secu­ri­ty lay­er that reg­u­lates and effec­tive­ly han­dles the traf­fic that trav­els around the sub­nets. It is a selec­table lay­er for VPC that adds anoth­er secu­ri­ty lay­er to the Ama­zon ser­vice. A net­work ACL (or NACL) in AWS reg­u­lates traf­fic to or from a sub­net based on a set of inbound and out­bound rules. This means it pro­tects the net­work at the net­work lev­el. An inbound rule, for exam­ple, might deny incom­ing traf­fic from a spe­cif­ic IP address range, where­as an out­bound rule might allow it to leave the sub­net. Because NACLs oper­ate at the VPC sub­net lev­el, each NACL can be uti­lized to one or more sub­nets, but each sub­net must be linked with one and only one NACL. AWS cre­ates a default NACL for you when you cre­ate a VPC. A default NACL can have rules added and removed, but it can­not be deleted.

Net­work Access Con­trol List (NACL) com­po­nents #

  • Rule num­ber: Each rule is allot­ted a unique num­ber. The pri­or­i­ty of the rule is deter­mined by the num­ber assigned to it as well. This rule is imple­ment­ed to the request when it match­es a spe­cif­ic request or traf­fic, regard­less of whether anoth­er high-num­bered rule dis­proves it or not. 
  • Rules are formed with par­tic­u­lar incre­ments, such as the dif­fer­ence between two rules being either 1, 10, or 100, and all rules cre­at­ed to have the same difference. 
  • Type: This indi­cates the type of traf­fic, such as SSH, HTTP, or HTTPS.
  • Pro­ce­dure: A pro­to­col is a set of rules that are applied to each request, such as HTTP, HTTPS, ICMP, and SSH
  • Port range: Port 80 is linked with the lis­ten­ing port, which receives user requests such as HTTP
  • Inbound rules: also referred to as the source. These rules dis­cuss the ori­gin of the requestor traf­fic as well as the des­ti­na­tion port/​port through which the response is sent. 
  • Out­bound rules: Also referred to as a des­ti­na­tion. These rules spec­i­fy where the response should be sent as well as the des­ti­na­tion port. 
  • Allow/​Deny: Whether or not a spe­cif­ic type of traf­fic must be allowed or denied.

Types of NACL #

  1. Cus­tomized NACL: It is also known as a user-defined NACL, and its default behav­ior is to deny all incom­ing and out­go­ing traf­fic until a rule to han­dle the traf­fic is added. 
  2. Default NACL: This is the inverse of cus­tomized NACL, which allows all net­work traf­fic to flow in and out. It also includes a spe­cif­ic rule that is asso­ci­at­ed with a rule num­ber and can­not be changed or delet­ed. Access to the request is denied if it does not match the asso­ci­at­ed rule. Changes to the sub­nets asso­ci­at­ed with a rule are auto­mat­i­cal­ly applied when it is added or removed.

Con­sid­er the fol­low­ing use case:

When a web­site needs to be accessed, the user’s request must be rout­ed to the cor­rect port, and the web­site must access the data­base and, after extract­ing the nec­es­sary data, return a response to the user. The VPC includes a default NACL that applies to IPv4 traf­fic. A cus­tom NACL that is asso­ci­at­ed with a sub­net can be cre­at­ed. The default behav­ior of this cus­tomized NACL is to deny incom­ing and out­go­ing IPv4 traf­fic. It must fol­low spe­cif­ic rules to respond appro­pri­ate­ly when a request is received. Var­i­ous sub­nets can be bound with a sin­gle NACL, but only one sub­net can be bound with a sin­gle NACL at a time. Secu­ri­ty groups and net­work access con­trol lists (NACLs) are fea­tures of Ama­zon Web Ser­vices. Both resource types serve as vir­tu­al fire­walls to pro­tect your net­work and share some char­ac­ter­is­tics. To con­trol traf­fic to and from resources in a VPC, secu­ri­ty groups and NACLs, for exam­ple, use sets of inbound and out­bound rules. How­ev­er, secu­ri­ty groups and NACLs oper­ate at dif­fer­ent lay­ers in the VPC, have slight­ly dif­fer­ent default rules, and do not han­dle response traf­fic in the same way. So, which is bet­ter for net­work secu­ri­ty: secu­ri­ty groups or NACLs? To secure your net­work, the best solu­tion is to use both resource types. Lay­ers of secu­ri­ty are at the heart of defense in depth; secu­ri­ty groups and NACLs are two lay­ers that sup­port each other.

Secu­ri­ty Groups or NACL #

You can assured­ly pro­tect your VPC using only secu­ri­ty groups. Because instances neces­si­tate secu­ri­ty groups, you’ll be uti­liz­ing them after all, so set them up accord­ing­ly. Because secu­ri­ty groups and NACLs share so many sim­i­lar­i­ties, you can achieve the same results with either. How­ev­er, to prac­tice defense-in-depth, it is best to use both resource types as vir­tu­al fire­walls. If their rules are con­fig­ured cor­rect­ly, they form a very effi­cient com­bi­na­tion for fil­ter­ing traf­fic to and from your instances. When traf­fic enters your net­work, it is first fil­tered by NACLs and then by secu­ri­ty groups. This means that traf­fic autho­rized by an NACL can then be allowed or denied by a secu­ri­ty group, where­as traf­fic stopped by an NACL nev­er makes it fur­ther. As pre­vi­ous­ly stat­ed, secu­ri­ty groups oper­ate at the instance lev­el, where­as NACLs oper­ate at the sub­net level. 

Secu­ri­ty groups are a nec­es­sary form of pro­tec­tion for instances because each instance must be linked with at least one secu­ri­ty group. You can’t start an instance with­out one, and you can’t elim­i­nate the only remain­ing secu­ri­ty group from an estab­lished instance. A spe­cif­ic secu­ri­ty group, on the oth­er hand, only relates to an instance if a user know­ing­ly links it with it, whether at launch time or after the instance has been cre­at­ed. An NACL, on the oth­er hand, applies to all instances in the sub­net with which it is linked by default. When com­bined with secu­ri­ty groups, this improves secu­ri­ty. For exam­ple, if a user inad­ver­tent­ly links the instance with an exces­sive­ly per­mis­sive secu­ri­ty group, the instance can still be kept safe by the NACL. NACL is regard­ed as an option­al form of defense. An NACL is required for a sub­net, but by default, an NACL is designed to allow all traf­fic in and out. Secu­ri­ty groups, on the oth­er hand, are always locked down.

Inbound and out­bound rules #

Inbound and out­bound rules exist for both secu­ri­ty groups and NACLs. AWS, on the oth­er hand, assess­es all rules for all secu­ri­ty groups linked with an instance before eval­u­at­ing if to allow traf­fic in or out. Inbound rules gov­ern incom­ing traf­fic to your instance, while out­bound rules gov­ern incom­ing traf­fic from your instance. You can define one or more secu­ri­ty groups when launch­ing an instance.

Allow vs. Deny rules #

Because secu­ri­ty group rules are implic­it­ly to deny, all traf­fic is denied unless explic­it­ly allowed by an inbound or out­bound rule. You can only add and remove allow” rules; there is no need to add or remove deny” rules. NACLs, on the oth­er hand, allow you to add and remove allow” and deny” rules. Cor­re­spond­ing traf­fic may be defin­i­tive­ly allowed or denied by an inbound or out­bound rule.

An NACL, unlike a secu­ri­ty group, is state­less, which means it does not mon­i­tor the state of con­nec­tions pass­ing through it. This is anal­o­gous to the net­work access con­trol list (NACL) on a tra­di­tion­al switch or router. Because of the NACL’s state­less­ness, each one is pre­con­fig­ured with rules that allow all inbound and out­bound traf­fic, as dis­cussed in this article.