AWS VPC Security Security – Security Group vs NACLs

AWS VPC Security Group vs NACLs
Both Security Groups (NACLS), and Network ACLs, (NACLS), are part of a VPC. They work together to build a layered network defense.
Security groups – Control inbound and outbound traffic at each instance level by acting as a virtual firewall.
Network access control lists (NACLs), which act as firewalls for subnets, control both inbound and external traffic at the subnet-level.
Security Groups
Acts are performed at the Instance level, not at subnet level.
Each instance in a subnet can be assigned its own set of Security Groups
An instance can be assigned five security groups, each group having 50-60 rules.
Separate rules can be set up for both outbound and inbound traffic.
Allows you to add or remove rules (authorizing access or revoking access), for both Inbound (ingress), and Outbound (egress), traffic to the instance. The default security group does not allow external inbound traffic, but allows traffic from instances with the same security groups.
All outbound traffic is allowed by default security group
New Security groups begin with an outbound rule that allows traffic to leave the instances.
You can only allow rules but not deny them
You can grant access to a specific IP or CIDR range or to another security group within the VPC or in a peer VPC. This requires a VPC peering link.
They can be viewed as a whole or cumulative group of rules, with the most permissive rule preceding for e.g. If you have two rules that allow access to TCP Port 22 (SSH) from IP address and one that allows access from everyone, everyone can access TCP Port 22.
Are Stateful – responses to allowed traffic inbound are allowed to flow outbound without regard to outbound rules and vice versa. An Outbound rule is not required for the response.
If rules are not added to allow traffic, instances associated with a security team can’t talk to one another.
Are associated with ENI (network interfacings).
Connection Tracking
Security groups are considered Stateful when they use Connection tracking for traffic information to and from the instance.
Inbound traffic responses are allowed to flow from the instance, regardless of outbound security group rules and vice versa.
Connection Tracking can only be maintained if there is no Outbound rule for an inbound request (or vice versa).
If an Inbound request has an explicit Outbound Rule, response traffic will be allowed based on that Outbound rule, and not the Tracking information
Tracking flow e.g. If an instance (host B) initiates traffic to host A and uses a protocol that is not TCP, UDP or ICMP for response traffic, the firewall only tracks the IP address & number.
Host B can initiate traffic to the instance by sending a separate request within 600 seconds after the original request or response. The instance will accept it regardless of any inbound security group rules. It’s considered response traffic.
This can be managed by changing the outbound rules of the security group to allow certain types of outbound traffic. You can also use Network Access Control Lists (NACLs), which are stateless and do not allow response traffic.
A Network ACLs (NACLs), an optional layer of security, is a firewall that controls traffic between and within one or more subnets.
They are not intended for granular control. They are assigned at Subnet level and apply to all instances in that Subnet.
Each rule can allow or deny traffic. Each rule has its own inbound and outside rules.