AWS Certified SysOps Administrator Part II: Security Groups & NACLs

  • 1. Layered Security
    • a. Overview
      • i. Resources are inside a..
      • ii. VM Firewall (instance level – OS provided)
      • iii. Security Groups (instance level – AWS platform provided)
      • iv. NACLs (Subnet level)
  • 2. Security Groups
    • a. Resource level traffic firewall
      • i. Instance, ELB, etc.
      • ii. Control egress / ingress
    • b. Stateful (return traffic allowed)
    • c. Only get destination port filtering
    • d. Maximums
      • i. Up to 100 security groups per VPC
      • ii. Up to 50 lines in each security group
      • iii. Up to 5 security groups per instance
    • e. Practices
      • i. You might have ‘web server’ security groups, citrix XenApp servers, etc.
    • f. Instances can’t communicate unless allowed
      • i. You apply a security group to an instance. The security group is not a container that instances get added into. It’s really just a set of rules that are associated with an instance.
      • ii. Default SG allows communications from other instances in the same SG
      • iii. Destination port filtering only (no source port filtering). If you want this level of granularity you need NACLs.
    • g. Default rules:
      • i. Deny all inbound traffic until allow
      • ii. Allow rules only
      • iii. Allow all outbound traffic until allow
      • iv. If you remove allow-all then you are telling it to deny everything except your specific allow rules
  • 3. NACLs
    • a. Subnet level
    • b. Separates inbound / outbound rules
    • c. Source and protocol filtering
    • d. Stateless, you need to allow or deny everything
      • i. Lower numbers are processed first
      • ii. Stop on first match
      • iii. Separate inbound and outbound traffic rules
    • e. Default rules
      • i. Deny all
      • ii. Can have permit and deny rules
      • iii. One active NACL per subnet

One thought on “AWS Certified SysOps Administrator Part II: Security Groups & NACLs

  1. Pingback: AWS Certified SysOps Administrator Exam: Study Guide | Sky Cliffs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s