Cyber Intelligence
Infrastructure Security · 20% of exam

L7. Security Groups, NACLs & Network Segmentation

Video generating

Check back soon for the video lesson on Security Groups, NACLs & Network Segmentation

Stateful vs stateless, instance-level vs subnet-level, allow-only vs allow-and-deny: the security group and NACL distinctions the exam tests hardest, plus the multi-tier subnet pattern that puts them to work.

Two Firewalls, Two Different Jobs

A VPC gives you two layers of traffic filtering, and the exam leans heavily on the ways they differ. Security groups operate at the instance/ENI level and are stateful: if you allow inbound traffic on a port, the response traffic is automatically permitted back out, with no matching outbound rule required. Security groups only support Allow rules. There is no way to write an explicit Deny; you can only choose what to allow. Network ACLs (NACLs) operate one layer higher, at the subnet boundary, and they are stateless. Because there is no connection tracking, you must explicitly allow both the inbound request and the outbound response, or return traffic silently drops. NACLs support both Allow and Deny rules, and they are evaluated in ascending rule-number order, stopping at the first rule that matches. Rule ordering is not cosmetic here: a Deny placed after a broader Allow never gets a chance to fire.

Defaults Matter

A newly created security group denies all inbound traffic and allows all outbound traffic by default. A newly created custom NACL denies everything, both directions, until you add rules. The default NACL that ships with a VPC is the exception: it allows all traffic by default, which is why security teams routinely lock it down or replace it with custom NACLs as a hardening step.

Referencing Security Groups as Sources

Instead of hardcoding a CIDR block, a security group rule can name another security group as its source or destination. This is the standard pattern for tiered applications: the database security group's inbound rule allows port 3306 only from the app-tier security group, not from a subnet range. As instances scale in and out of the app tier, the rule stays correct automatically, since it is tracking group membership rather than IP addresses.

Building Tiers With Subnets

Combine these controls into a multi-tier segmentation pattern spread across multiple Availability Zones for resilience:

TierSubnet typeInternet route
EdgePublicDirect route to an internet gateway (load balancers)
ApplicationPrivateNo direct internet route; outbound via NAT gateway if needed
DataIsolatedNo route to an internet gateway or NAT gateway at all
A compromised load balancer in the public tier cannot reach the database directly if the isolated subnet's route table has no path out, and NACLs at each subnet boundary add a second layer of enforcement independent of whatever security groups are attached to the instances themselves. Exam tip: When a question asks how to explicitly block a single malicious IP address while leaving everything else untouched, the answer is always a NACL Deny rule, numbered ahead of the broader Allow rule. Security groups cannot express "deny this one thing," only "allow this and nothing else," so they are the wrong tool whenever the question uses the word "block" or "deny" for a specific source.

Exam Focus Points
  • Security groups are stateful and instance/ENI-scoped, and support Allow rules only, never explicit Deny
  • NACLs are stateless and subnet-scoped, support both Allow and Deny, and are evaluated in ascending rule-number order until the first match
  • A security group can name another security group as its source or destination, which is the standard way to allow traffic only from a specific application tier
  • A new custom NACL denies all traffic by default until rules are added; a new security group denies all inbound but allows all outbound by default
  • Only a NACL can explicitly block a specific malicious IP address; a security group can only decline to allow it, never actively deny it
Knowledge Check

1. A team needs to explicitly block a specific IP address range known to be scanning their subnet, while still allowing all other traffic on the same port. Which control should they use?

2. Why are security groups described as stateful?

3. Which architecture pattern best limits the blast radius if a public-facing web server is compromised?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.

Start Security Specialty prep free10-day free trial available