VPC 1

Question 1

Security Groups

What’s the major limitation of SGs?

Answer 1

Can’t deny (other than implicit deny)

Question 2

Security Groups

What do you attach Security Groups to?

Answer 2

ENIs, not instances!

Question 3

Security Groups

Can hosts in a SG talk to each other?

Answer 3

Not by default, need self-referenced SG to allow it

Question 4

Security Groups

Highest-level Use Cases for NACLs and SG?

Answer 4

SGs for expected app traffic, NACLs to deny bad actors or OOB traffic

Question 5

Security Groups

How do you setup a Security Group rule to deny access?

Answer 5

Can’t, SGs are inclusive only.

Question 6

Security Groups

What permissions are on the default security group?

Answer 6

Allow all inbound traffic from the default sg, allow all outbound traffic.

Question 7

Security Groups

What is the default permission for a custom security group you create?

Answer 7

No inbound traffic, allow all outbound traffic.

Question 8

Security Groups

Can instances within the same security group communicate by default?

Answer 8

No, you have to enable this explicitly: source is the security group in question.

Question 9

Security Groups

Why can’t I ping my instance from another security group?

Answer 9

Prob. didn’t add explicit rule for ICMP Ping “Echo” type to the inbound rule of the sg.

Question 10

Security Groups

Which scales better, Security Groups or NACLs?

Answer 10

Security Groups: use logical names for groups of things, not IP-based

Question 11

Security Groups

How do you change an EC2 instance’s Role that it uses?

Answer 11

Just do it, change Role from console or elsewhere, disappears from inside EC2 instance.