L8. Network Security: Security Groups, NACLs, WAF, and Shield
Video generating
Check back soon for the video lesson on Network Security: Security Groups, NACLs, WAF, and Shield
AWS network security involves multiple layers of defense. The Cloud Practitioner exam tests Security Groups, Network ACLs, AWS WAF, AWS Shield, and how they differ in scope and behavior.
Amazon VPC Security Layers
AWS provides two primary network-level security controls within a VPC:
Security Groups
Security groups act as virtual firewalls at the instance level (attached to ENIs/network interfaces). Key characteristics:
- Stateful: if you allow inbound traffic, the corresponding outbound reply is automatically allowed (and vice versa)
- Default security group denies all inbound, allows all outbound
- Rules only allow; you cannot write explicit deny rules
- Can reference other security groups as sources
- Applied to individual EC2 instances, RDS instances, Lambda in VPC, etc.
Network Access Control Lists (NACLs)
NACLs act as firewalls at the subnet level. Key characteristics:
- Stateless: inbound and outbound rules are evaluated independently; you must explicitly allow both directions
- Rules are numbered and evaluated in order; first match wins
- Can explicitly Allow AND Deny traffic (unlike Security Groups which only allow)
- Default NACL allows all traffic; custom NACLs deny all by default
Security Groups vs. NACLs
| Feature | Security Groups | NACLs |
|---|---|---|
| Applies to | Individual instances | Entire subnet |
| Stateful? | Yes | No |
| Allow/Deny rules | Allow only | Both Allow and Deny |
| Rule evaluation | All rules evaluated | Rules in order; first match wins |
AWS WAF (Web Application Firewall)
AWS WAF protects web applications from common exploits at Layer 7 (HTTP/HTTPS). Protects against: SQL injection, cross-site scripting (XSS), bad bots, OWASP Top 10. Works with: CloudFront, Application Load Balancer, API Gateway, AppSync. Components: WebACLs (rule containers), rules (conditions), rule groups (reusable sets of rules).
AWS Shield
AWS Shield protects against DDoS (Distributed Denial of Service) attacks.
- Shield Standard: free, automatic protection for all AWS customers; protects against common network/transport layer DDoS attacks
- Shield Advanced: paid ($3,000/month); enhanced DDoS protection, cost protection (refunds for scaling costs during attacks), 24/7 DDoS response team access, detailed attack diagnostics
AWS Network Firewall
AWS Network Firewall is a managed stateful firewall for VPCs, providing deeper inspection than NACLs and security groups. Exam tip: Security groups are stateful and work at the instance level. NACLs are stateless and work at the subnet level. WAF = Layer 7 application protection. Shield = DDoS protection.
- ✓Security Groups are stateful, instance-level firewalls; NACLs are stateless, subnet-level firewalls
- ✓Security Groups only have Allow rules; NACLs support both Allow and Deny rules
- ✓NACLs evaluate rules in numbered order; the first matching rule applies
- ✓AWS WAF protects web applications from Layer 7 attacks (SQL injection, XSS, OWASP Top 10)
- ✓Shield Standard is free for all customers; Shield Advanced adds paid DDoS response team and cost protection
1. A company needs to block traffic from a specific IP address at the subnet level in their VPC. Which AWS service should they use?
2. What is the key difference between AWS Shield Standard and AWS Shield Advanced?
Recommended: Pluralsight
Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.