Skip to content

VPC Security

Security Groups (SGs)

  • Virtual STATEFUL FWs
    • Return traffic from an allowed inbound connection is automatically permitted to leave the instance
    • Separate sets for inbound/outbound
  • Limits:
    • Up to 2,500 SGs per region
    • Up to 5 SGs per network interface
    • 60 inbound and 60 outbound rules per SG
  • ALLOW comms between all resources within the same SG
    • ALLOW all OUTBOUND traffic
    • DENY all other traffic
  • Can be altered, not deleted
INBOUNDsg-xxxALLALLallow all INBOUND from instances within SG
  • You can specify
    • ALLOW, not DENY rules (main different from ACLs)
    • Separate rules for INBOUND/OUTBOUND
  • Are STATEFUL = responses to allowed inbound are allowed outbound & viceversa (!= from ACLs)
  • Instances associated with same SG cannot talk to each other unless you add rules allowing it (exception being the default SG)


  • STATELESS FW on a SUBNET level
    • Return traffic must be explicitly allowed (or denied) via additional rules
  • Numbered list of rules evaluated in order (starting from low number) to determine which traffic is allowed in/out subnet
  • Default deny (there's an immutable final deny rule that matches all)
  • Every subnet must be associated with ACL
  • VPC created with modifiable default ACL associated with each subnet
  • Default rules:
    • Rule 100: ALLOW all traffic from all protocols, all port ranges, from any source (ALLOW ALL inbound/outbound)
    • Rule *: DENY all traffic from all protocols, all port ranges, from any source (basically useless given Rule 100)
  • Rule Number: when a rule matches traffic, it is immediately applied independently of any higher-numbered rule that may contradict it
  • Type: Custom TCP rule, Custom UDP rule, Custom ICMP rule, Custom Protocol Rule, ALL TCP, ALL UDP, ALL ICMP – IPv4, ALL ICMP – IPv6, ALL Traffic, or specific protocols
  • Protocol: the IP protocol number for the packets you are referring in the rule
  • Port Range
  • Source (inbound rules only) or Destination (outbound rules only): the the IP address or range that is allowed or denied by the rule
  • Allow/Deny

SGs vs ACLs

INSTANCE level (attached to ENI) SUBNET level (attached to Subnet)
ALLOW rules only ALLOW & DENY rules
STATEFUL (return traffic autom. allowed) STATELESS (return traffic must be explicitly allowed)
ALL rules evaluated BEFORE deciding to allow Rules processed in NUMBERED ORDER
Applied SELECTIVELY to individual instances AUTOM. APPLIED to ALL instances w/in a SUBNET (backup layer of defense)
To ALLOW specific traffic To DENY between subnets

Flow Logs

Use Cases
  • Enable to capture information about the traffic going to and from network interfaces in the VPC
  • Log data is stored using CloudWatch Logs
  • Flow logs can be created at 3 levels: VPC, subnet, network interface
  • Not possible to enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
  • You cannot tag a flow log
  • After you've created a flow log, you cannot change its configuration (i.e., you cannot associate a different IAM role with the flow log)
Not all traffic is monitored
  • Traffic generated by instances when they contact the Amazon DNS server (DNS traffic is logged if you use your own DNS server)
  • Traffic generated by a Windows instance for Amazon Windows license activation
  • Traffic to and from for instance metadata
  • DHCP traffic
  • Traffic to the reserved IP address for the default VPC router

Flow Log Format

<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport>
<protocol> <packets> <bytes> <start> <end> <action> <log-status>