Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
3.4.2.1. Network Security Components (Security Groups, Network ACLs, Network Firewall, WAF, Shield)
3.4.2.1. Network Security Components (Security Groups, Network ACLs, WAF)
Network security operates at multiple layers — each catching different types of threats.
Security Groups (instance-level firewall):
- Stateful: Return traffic automatically allowed
- Allow rules only: No explicit deny rules
- Applied to: ENIs (network interfaces on EC2, RDS, Lambda VPC, etc.)
Network ACLs (subnet-level firewall):
- Stateless: Must allow both inbound AND outbound explicitly
- Allow AND deny rules: Rules evaluated by number (lowest first)
- Applied to: Subnets
| Feature | Security Group | Network ACL |
|---|---|---|
| Scope | Instance (ENI) | Subnet |
| State | Stateful | Stateless |
| Rules | Allow only | Allow and Deny |
| Evaluation | All rules evaluated | First match wins |
| Default | Deny all inbound | Allow all |
AWS WAF (web application firewall):
- Protects CloudFront, ALB, API Gateway, AppSync
- Rules: SQL injection, XSS, rate limiting, geo-blocking, IP reputation
- Managed rule groups (AWS, marketplace vendors) provide pre-built protection
{
"Name": "RateLimitRule",
"Priority": 1,
"Action": {"Block": {}},
"Statement": {
"RateBasedStatement": {
"Limit": 2000,
"AggregateKeyType": "IP"
}
}
}
Exam Trap: Security group changes take effect immediately — but existing connections using the old rules remain active until they close. If you remove an allow rule for port 443, existing HTTPS connections continue until the client or server closes them. To immediately terminate connections, you must also terminate the associated instances or close the connections at the application level.
Written byAlvin Varughese•Founder•15 professional certifications