6
Nov
AWS Security Groups and NACL
AWS Security includes a set of attributes, tools, or features that make the public cloud service provider Amazon Web Services (AWS) safe. Security groups and the Network Access Control List (NACL) are two widely used tools.
A security group in AWS manages traffic to and from an EC2 instance using a set of inbound and outbound rules. This indicates it defines instance-level security. An inbound rule, for example, may permit traffic from a single IP address to access the instance, whereas an outbound rule may permit all traffic to leave the instance. Because security groups operate at the VPC instance level, each security group can be applied to one or more instances, also through subnets Furthermore, each instance must be linked to one or more security groups. To be more specific, a security group is linked with a network interface that is affixed to an instance. AWS automatically creates a default security group for you when you create a VPC. A default security group’s rules can be added and removed, but the security group itself cannot be deleted. VPC is an abbreviation for Virtual Private Cloud, which can be thought of as a container for data storage.
The Network Access Control List, or NACL, is a security feature of the Amazon Web Services stack. NACL contributes to the security of vpcs and subnets by acting as a firewall. It contributes to the provision of a security layer that regulates and effectively handles the traffic that travels around the subnets. It is a selectable layer for VPC that adds another security layer to the Amazon service. A network ACL (or NACL) in AWS regulates traffic to or from a subnet based on a set of inbound and outbound rules. This means it protects the network at the network level. An inbound rule, for example, might deny incoming traffic from a specific IP address range, whereas an outbound rule might allow it to leave the subnet. Because NACLs operate at the VPC subnet level, each NACL can be utilized to one or more subnets, but each subnet must be linked with one and only one NACL. AWS creates a default NACL for you when you create a VPC. A default NACL can have rules added and removed, but it cannot be deleted.
Network Access Control List (NACL) components #
- Rule number: Each rule is allotted a unique number. The priority of the rule is determined by the number assigned to it as well. This rule is implemented to the request when it matches a specific request or traffic, regardless of whether another high-numbered rule disproves it or not.
- Rules are formed with particular increments, such as the difference between two rules being either 1, 10, or 100, and all rules created to have the same difference.
- Type: This indicates the type of traffic, such as SSH, HTTP, or HTTPS.
- Procedure: A protocol is a set of rules that are applied to each request, such as HTTP, HTTPS, ICMP, and SSH.
- Port range: Port 80 is linked with the listening port, which receives user requests such as HTTP.
- Inbound rules: also referred to as the source. These rules discuss the origin of the requestor traffic as well as the destination port/port through which the response is sent.
- Outbound rules: Also referred to as a destination. These rules specify where the response should be sent as well as the destination port.
- Allow/Deny: Whether or not a specific type of traffic must be allowed or denied.
Types of NACL #
- Customized NACL: It is also known as a user-defined NACL, and its default behavior is to deny all incoming and outgoing traffic until a rule to handle the traffic is added.
- Default NACL: This is the inverse of customized NACL, which allows all network traffic to flow in and out. It also includes a specific rule that is associated with a rule number and cannot be changed or deleted. Access to the request is denied if it does not match the associated rule. Changes to the subnets associated with a rule are automatically applied when it is added or removed.
Consider the following use case:
When a website needs to be accessed, the user’s request must be routed to the correct port, and the website must access the database and, after extracting the necessary data, return a response to the user. The VPC includes a default NACL that applies to IPv4 traffic. A custom NACL that is associated with a subnet can be created. The default behavior of this customized NACL is to deny incoming and outgoing IPv4 traffic. It must follow specific rules to respond appropriately when a request is received. Various subnets can be bound with a single NACL, but only one subnet can be bound with a single NACL at a time. Security groups and network access control lists (NACLs) are features of Amazon Web Services. Both resource types serve as virtual firewalls to protect your network and share some characteristics. To control traffic to and from resources in a VPC, security groups and NACLs, for example, use sets of inbound and outbound rules. However, security groups and NACLs operate at different layers in the VPC, have slightly different default rules, and do not handle response traffic in the same way. So, which is better for network security: security groups or NACLs? To secure your network, the best solution is to use both resource types. Layers of security are at the heart of defense in depth; security groups and NACLs are two layers that support each other.
Security Groups or NACL #
You can assuredly protect your VPC using only security groups. Because instances necessitate security groups, you’ll be utilizing them after all, so set them up accordingly. Because security groups and NACLs share so many similarities, you can achieve the same results with either. However, to practice defense-in-depth, it is best to use both resource types as virtual firewalls. If their rules are configured correctly, they form a very efficient combination for filtering traffic to and from your instances. When traffic enters your network, it is first filtered by NACLs and then by security groups. This means that traffic authorized by an NACL can then be allowed or denied by a security group, whereas traffic stopped by an NACL never makes it further. As previously stated, security groups operate at the instance level, whereas NACLs operate at the subnet level.
Security groups are a necessary form of protection for instances because each instance must be linked with at least one security group. You can’t start an instance without one, and you can’t eliminate the only remaining security group from an established instance. A specific security group, on the other hand, only relates to an instance if a user knowingly links it with it, whether at launch time or after the instance has been created. An NACL, on the other hand, applies to all instances in the subnet with which it is linked by default. When combined with security groups, this improves security. For example, if a user inadvertently links the instance with an excessively permissive security group, the instance can still be kept safe by the NACL. NACL is regarded as an optional form of defense. An NACL is required for a subnet, but by default, an NACL is designed to allow all traffic in and out. Security groups, on the other hand, are always locked down.
Inbound and outbound rules #
Inbound and outbound rules exist for both security groups and NACLs. AWS, on the other hand, assesses all rules for all security groups linked with an instance before evaluating if to allow traffic in or out. Inbound rules govern incoming traffic to your instance, while outbound rules govern incoming traffic from your instance. You can define one or more security groups when launching an instance.
Allow vs. Deny rules #
Because security group rules are implicitly to deny, all traffic is denied unless explicitly allowed by an inbound or outbound rule. You can only add and remove “allow” rules; there is no need to add or remove “deny” rules. NACLs, on the other hand, allow you to add and remove “allow” and “deny” rules. Corresponding traffic may be definitively allowed or denied by an inbound or outbound rule.
An NACL, unlike a security group, is stateless, which means it does not monitor the state of connections passing through it. This is analogous to the network access control list (NACL) on a traditional switch or router. Because of the NACL’s statelessness, each one is preconfigured with rules that allow all inbound and outbound traffic, as discussed in this article.
