Security Groups and Security Lists

---

In AWS, basic packet filtering rules managing traffic that each instance will accept can be managed through security groups.

• provides stateful inbound and outbound filtering at layer 4
  • will allow established and related traffic if a new connection has been accepted
• default security group
  • allows any outbound traffic and any inbound traffic from instances also bound to the default security group
• custom security group
  • sets the ports and endpoints that are allowed for inbound and outbound traffic
• are no deny rules for security groups
  • any traffic that does not match an allow rule is dropped
  • implicit deny
  • custom group with no rules will drop all network traffic
• Multiple instances can be assigned to the same security group
• instances within the same subnet can be assigned to different security groups
• can assign multiple security groups to the same instance
• can assign security groups to VPC endpoint interfaces

Info

• Most cloud providers support similar filtering functionality
  • they may be implemented differently
• e.g.,
  • in Azure,
    • network security groups can be applied to network interfaces or to subnets
  • In Oracle Cloud Infrastructure (OCI),
    • a security list is a set of rules that applies to an entire subnet
    • An OCI security group is similar to the AWS concept, as it can be applied to selected network interfaces