AWS Security group vs Network ACLs

Question

I have multiple EC2 instances in my AWS console which I wanted to make secured by adding firewall rules/policies. I read that AWS provides Network ACLs and Security Groups to achieve the same.

From what I read, I got the basic idea about both.

• Security Groups are EC2 firewalls(1st level defense), tied to the instances, stateful in nature i.e any changes in the incoming rule impacts the outgoing rule as well. An instance can have multiple SG's.

• Network ACL's are subnet firewalls(2nd level defense), tied to the subnet, stateless in nature. A subnet can have only one NACL.

My questions are :

1. Why do we need SG's when we have NACL's ?
2. Why do we need NACL'S when we have SG's ?
3. Should we use SG's and NACLs together to make our AWS application, more secured ?
4. When to choose NACLs over SG's or SG's over NACLs ?

I was wondering, given that I have multiple instances, should I add them all to a VPC and create a Network ACL or should I assign a Security Group to each of them.

Need suggestions and references with best practices one should follow for similar scenarios.

Thanks a lot!

Answer 1

An important security concept that applies here is Defense in Depth. This concept recommends that multiple layers of security controls are placed throughout an information technology system, better protecting a given asset.

Used together these two controls will provide a significantly better security architecture than any single protection layer. That said, the proper security posture for any application depends on the nature of the data - how sensitive it is, and your appetite for risk.

Security groups are the easiest and most basic element of security and would be your first choice for baseline security. When your application is complete and ready for production, or you have sensitive personally identifiable information (PII) you can(should) add NACLs to your security architecture.

Answer 2

Whilst these might appear quite similar the implementation and feature set differs for both.

To start with the security group is the easiest to understand and implement, they are attached at the ENI (Elastic Network Interface) level and evaluated on the physical host of your resource before it is allowed through.

They have a limited feature set, but one pretty great feature over a NACL is that you can evaluate a source/destination by another resources security group or by prefix list. This enables you to filter traffic to specific resources vs anything in a CIDR range. Security groups are also stateful which will mean if traffic can speak in one direction it will be able to return in the opposite direction.

A NACL on the other hand is situated in a subnet level, for this reason it has no effect on traffic that is communicating between each other in the same subnet. Unlike a security group though it includes both explicit deny (security groups only support allow with deny for anything not included), and order rule evaluations (security groups will look for a rule that allows inbound access, NACLs are evaluated lowest to highest number).

When implementing NACLs it is important to understand what traffic will be flowing from which ranges (IPv4 and IPv6), the ports used and flow of traffic both inbound and outbound (NACLS are stateless). These rules are evaluated before they are forwarded to the physical host itself, or after they leave the physical host depending on the direction of travel. Additionally make sure to consider ephemeral ports.

I would recommend using both if you want to provide the most locked down environment, but before implementing NACLS ensuring you thoroughly plan for the allowed traffic through the NACL. To identify/debug issues with both of these also take a look at VPC flow logs.