VPC Security Groups Flashcards
What is a Security Group in AWS?
A Security Group acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic. In AWS, Security Groups are associated with instances, providing security at the protocol and port access level.
How do Security Groups work in AWS?
Security Groups in AWS work by allowing you to specify allow rules, but not deny rules. Traffic that does not match an allow rule is automatically denied. They are stateful, meaning if traffic is permitted in one direction, the return traffic is automatically allowed, irrespective of other rules.
How does a Security Group differ from a Network Access Control List (NACL)?
Security Groups differ from NACLs in that they are stateful and instance-level, whereas NACLs are stateless and subnet-level. Security Groups control access to EC2 instances, while NACLs control access to subnets.
Can a Security Group rule reference another Security Group?
Yes, a Security Group rule can reference another Security Group. This allows one Security Group to allow or deny traffic based on the membership of another Security Group, facilitating dynamic, membership-based security rules.
How are Security Group rules evaluated?
Security Group rules are evaluated as a whole, in no specific order. If there is an allow rule for a specific type of traffic, that traffic is allowed to or from the instance, regardless of other rules.
What types of traffic do Security Groups control?
Security Groups control inbound and outbound traffic for an EC2 instance. This includes TCP, UDP, ICMP, and other protocol types, distinguished by source and destination IP addresses, ports, and the protocol used.
How can you modify Security Group rules?
Security Group rules can be modified at any time. The new rules are automatically applied to all instances associated with the Security Group without disrupting the instances.
Is it possible to block specific IP addresses with Security Groups?
No, Security Groups in AWS do not support deny rules. They are based on whitelisting allow rules only. To explicitly deny traffic from specific IP addresses, consider using NACLs.
Can an EC2 instance belong to multiple Security Groups?
Yes, an EC2 instance can be associated with multiple Security Groups. The instance receives the combined set of allow rules from each of the Security Groups.
What happens when a Security Group is deleted in AWS?
When a Security Group is deleted, any instance associated with the Security Group will no longer have the rules of the deleted Security Group applied to it. If an instance is not associated with any other Security Group, it will be associated with the default Security Group of the VPC.
