Security- Security Groups Flashcards
Amazon Virtual Private Cloud provides features that you can use to increase and monitor the security for your virtual private cloud (VPC):
Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
Flow logs — Capture information about the IP traffic going to and from network interfaces in your VPC
If you don’t specify a security group when you launch an instance…
the instance automatically belongs to the default security group for the VPC.
Who controls access provided to users to edit NACL, Sec groups etc?
You can use AWS Identity and Access Management to control who in your organization has permission to create and manage security groups, network ACLs and flow logs.
Compare Security Groups vs NACL
Security Group Network ACL
Operates at the instance level
Operates at the subnet level
Supports allow rules only
Supports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rules
Is stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow traffic
We process rules in number order when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on
Automatically applies to all instances in the subnets it’s associated with (therefore, you don’t have to rely on users to specify the security group)
The followi
Security groups are…?
stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
Default Security group values:
Inbound - Allow inbound traffic from instances assigned to the same security group.
Outbound- Allow all outbound IPv4 traffic.
You can’t delete a default security group. (T/F)
True
What is Stale Security group?
If the owner of the peer VPC deletes the referenced security group, or if you or the owner of the peer VPC deletes the VPC peering connection, the security group rule is marked as stale. You can delete stale security group rules as you would any other security group rule.
