Security groups Flashcards
What are security groups?
SGs are boundaries which can filter traffic
What are SGs attached to?
Resources, logical resources, network interfaces of an AWS resource.
Can SGs be attached to subnets?
No. Only to resources
How many sets of rules do SGs have?
2, like NACLs
Are SGs stateless or stateful?
Stateful. Only one inbound rule is needed. Response traffic is considered the same thing and it is automatically allowed.
Can SGs reference logical resources?
Yes, they can use logical resources.
Can SGs reference other SGs?
Yes.
Can a SG reference himself?
Yes.
What does a default SG for a VPC?
Allows all traffic by default - Explicit ALLOW rule
How does SGs achieve the default Explicit ALLOW?
By referencing himself.
For what would a SG reference himself?
So that anything this SG is attached to is matched by the default explicit allow.
Do SGs have any implicit deny rule?
Yes, anything that is not matched by other rule sets is implicitly denied.
Can a SG explicitly deny anything?
No. Normally NACLs are used together with SGs to achieve the explicit deny of something.
When are NACLs used over SGs?
- When products do not support SGs (like NAT Gateways).
2. When there is a need to add explicit denies.
When are SGs preferred over NACLs?
- SGs is the default almost everywhere because they are stateful and easier to work with (simplicity and lower admin overhead).
- NACLs can’t filter any traffic within the same subnet but SGs can due to the association to Logical resources.
