VPC Security
Security Groups (SGs)
|
|
| Definition |
- Virtual STATEFUL FWs
- Return traffic from an allowed inbound connection is automatically permitted to leave the instance
- Separate sets for inbound/outbound
- Limits:
- Up to
2,500 SGs per region - Up to
5 SGs per network interface - 60 inbound and 60 outbound rules per SG
|
| Default |
ALLOW comms between all resources within the same SG- NO INBOUND IS ALLOWED
ALLOW all OUTBOUND trafficDENY all other traffic
- Can be altered, not deleted
| DIRECTION | SRC | PROT | PORT | INFO | | INBOUND | sg-xxx | ALL | ALL | allow all INBOUND from instances within SG | | OUTBOUND | 0.0.0.0/0 | ALL | ALL | allow all OUTBOUND |
|
| Rules |
- You can specify
- ALLOW, not DENY rules (main different from ACLs)
- Separate rules for INBOUND/OUTBOUND
- Are STATEFUL = responses to allowed inbound are allowed outbound & viceversa (!= from ACLs)
- Instances associated with same SG cannot talk to each other unless you add rules allowing it (exception being the
default SG)
|
ACLs
|
|
| Definition |
- STATELESS FW on a SUBNET level
- Return traffic must be explicitly allowed (or denied) via additional rules
- Numbered list of rules evaluated in order (starting from low number) to determine which traffic is allowed in/out subnet
- Default deny (there's an immutable final deny rule that matches all)
- Every subnet must be associated with ACL
|
| Default |
- VPC created with modifiable default ACL associated with each subnet
- Default rules:
- Rule
100: ALLOW all traffic from all protocols, all port ranges, from any source (ALLOW ALL inbound/outbound) - Rule
*: DENY all traffic from all protocols, all port ranges, from any source (basically useless given Rule 100)
|
| Rules |
- Rule Number: when a rule matches traffic, it is immediately applied independently of any higher-numbered rule that may contradict it
- Type: Custom TCP rule, Custom UDP rule, Custom ICMP rule, Custom Protocol Rule, ALL TCP, ALL UDP, ALL ICMP – IPv4, ALL ICMP – IPv6, ALL Traffic, or specific protocols
- Protocol: the IP protocol number for the packets you are referring in the rule
- Port Range
- Source (inbound rules only) or Destination (outbound rules only): the the IP address or range that is allowed or denied by the rule
- Allow/Deny
|
SGs vs ACLs
| SG |
ACL |
| INSTANCE level (attached to ENI) |
SUBNET level (attached to Subnet) |
| ALLOW rules only |
ALLOW & DENY rules |
| STATEFUL (return traffic autom. allowed) |
STATELESS (return traffic must be explicitly allowed) |
| ALL rules evaluated BEFORE deciding to allow |
Rules processed in NUMBERED ORDER |
| Applied SELECTIVELY to individual instances |
AUTOM. APPLIED to ALL instances w/in a SUBNET (backup layer of defense) |
| To ALLOW specific traffic |
To DENY between subnets |

VPC Block Public Access
In 2024, AWS announced VPC Block Public Access (BPA), a new centralized declarative control that enables network and security administrators to authoritatively block Internet traffic for their VPCs:
Flow Logs
|
|
| Use Cases |
- Enable to capture information about the traffic going to and from network interfaces in the VPC
- Log data is stored using CloudWatch Logs
- Flow logs can be created at 3 levels: VPC, subnet, network interface
|
| Limitations |
- Not possible to enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
- You cannot tag a flow log
- After you've created a flow log, you cannot change its configuration (i.e., you cannot associate a different IAM role with the flow log)
|
| Not all traffic is monitored |
- Traffic generated by instances when they contact the Amazon DNS server (DNS traffic is logged if you use your own DNS server)
- Traffic generated by a Windows instance for Amazon Windows license activation
- Traffic to and from 169.254.169.254 for instance metadata
- DHCP traffic
- Traffic to the reserved IP address for the default VPC router
|
Flow Log Format
<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport>
<protocol> <packets> <bytes> <start> <end> <action> <log-status>