We have covered the Security Services in the article Most Used Cloud Services. But apart from Services AWS also offers other components and functionalities which enhance the security level. They are nothing but AWS Network Acess Control List and AWS Security Groups lets see in detail about each of them.
AWS provides many Services like AWS IAM, AWS CloudTrail, AWS Shield, and AWS Audit Manager which are dedicated only for security and protection of the cloud. This service uses many parameters and functionalities to protect the subnets and resources but there are some optional features like Network ACL and Security groups which are not AWS services but optional functionalities which the customer can use to protect the subnets.
AWS Network Access Control List
A Network ACL Acts as a firewall at the subnet level. This is like an additional layer of firewall that we can add to our subnet for more protection. We should remember that by Default Network ACL allows all inbound and outbound traffic. It can add optional security to a Virtual private network also. It works in the way, First, any inbound request comes at the subnet or VPC it checks the receiver and sender IP address and details, Then it is seen in the Acess Control List. If the Ip address is not blocked and has permission to go to the destination then the request is forwarded, or else it will be blocked.
The point to remember here is that Network ACLs are stateless functions or in other words, they do not store the information of the request which they allowed previously or the request which they blocked previously. There is also a custom Network ACL's which denies all inbound and outbound traffic and we should configure what request should go in and out. We shall be looking into the working of this Network ACL after learning about Security Groups.
AWS Security Groups
Security Groups work at the Instance level of access denial. It monitors all the inbound and outbound traffic from an instance. By default, a Security Group allows all outbound traffic from an instance. Another point to remember here is that Security groups are stateful services of functions. It has the information of all the requests which are allowed by the instance and blocked by it. While launching an instance we need to specify the security group to the instance or else it will be given a default security group.
When we create a Securit group for our instances the Default rules are, It allows all outbound traffic and denies all inbound traffic. This kind of security settings is really good for instances which work like database or instance which has some confidential information. As it provides an instance level of security it is the first level of defense in AWS cloud a request should pass. In real-time uses, most of the instances are kept under security groups and it is a good practice to do so. Whenever there is a breach in the system or cloud the users cannot access the instances which are protected by a security group
Network ACL VS Security Groups
Both Network ACL and Security Groups provide protection in their own way, it when they are used together it gives us 2 levels of security lets see this with a simple example. Suppose a request from the internet wants to reach an instance in the cloud. As it is coming from outside the Subnet or network the first Security Layer it interacts with is the Network ACL. The network Acl checks the sender and receiver details in its list. The first thing it checks is whether the request from this sender is allowed to enter the subnet or not, if the sender does have the required permission or he is in the blacklisted users the request will be discarded. If he has all permissions the request will be sent to the required subnet.
Now the next Security Layer the request interacts with is the Security group. We know that the Security group denies all the inbound traffic. But it's a custom Security group it checks the request and decides whether to send the request or not. This additional Security to the cloud resources gives a lot of protection, example if there's a database with all the usernames and passwords, we can keep this in a security group so only outbound traffic is allowed and only specific users like the system admins or database admins can access it. Any intruder who enters the network will not be able to access the database.