- 1. Layered Security
- a. Overview
- i. Resources are inside a..
- ii. VM Firewall (instance level – OS provided)
- iii. Security Groups (instance level – AWS platform provided)
- iv. NACLs (Subnet level)
- a. Overview
- 2. Security Groups
- a. Resource level traffic firewall
- i. Instance, ELB, etc.
- ii. Control egress / ingress
- b. Stateful (return traffic allowed)
- c. Only get destination port filtering
- d. Maximums
- i. Up to 100 security groups per VPC
- ii. Up to 50 lines in each security group
- iii. Up to 5 security groups per instance
- e. Practices
- i. You might have ‘web server’ security groups, citrix XenApp servers, etc.
- f. Instances can’t communicate unless allowed
- i. You apply a security group to an instance. The security group is not a container that instances get added into. It’s really just a set of rules that are associated with an instance.
- ii. Default SG allows communications from other instances in the same SG
- iii. Destination port filtering only (no source port filtering). If you want this level of granularity you need NACLs.
- g. Default rules:
- i. Deny all inbound traffic until allow
- ii. Allow rules only
- iii. Allow all outbound traffic until allow
- iv. If you remove allow-all then you are telling it to deny everything except your specific allow rules
- a. Resource level traffic firewall
- 3. NACLs
- a. Subnet level
- b. Separates inbound / outbound rules
- c. Source and protocol filtering
- d. Stateless, you need to allow or deny everything
- i. Lower numbers are processed first
- ii. Stop on first match
- iii. Separate inbound and outbound traffic rules
- e. Default rules
- i. Deny all
- ii. Can have permit and deny rules
- iii. One active NACL per subnet
-
Follow
Following
Already have a WordPress.com account? Log in now.
Sky Cliffs 
Pingback: AWS Certified SysOps Administrator Exam: Study Guide | Sky Cliffs