AWS-DOP-C02 & AWS CERTIFICATION | Network Security Components (Security Groups, Network ACLs, Network Firewall, WAF, Shield) - AWS Certified DevOps Engineer

3.4.2.1. Network Security Components (Security Groups, Network ACLs, Network Firewall, WAF, Shield)

First Principle: Controlling and filtering network traffic at various layers protects your resources from unauthorized access, malicious attacks, and common web exploits, establishing a robust network security posture.

Adhering to the principle of defense-in-depth, AWS provides a suite of network security components.

Security Groups (SGs): (Instance-level, stateful virtual firewalls.) Controlling EC2 traffic (e.g., restricting SSH/HTTP).
Network Access Control Lists (Network ACLs / NACLs): (Subnet-level, stateless firewalls.) Evaluating traffic rules in order (e.g., blocking malicious IPs).
AWS Network Firewall: (Managed service deploying highly available network firewalls in VPCs.) Provides intrusion prevention, web filtering, and traffic inspection.
AWS WAF (Web Application Firewall): (Protects web apps/APIs against common web exploits and bots.) E.g., preventing SQL injection.
AWS Shield: (Managed DDoS protection.) Standard is automatic; Advanced offers enhanced protection for larger organizations.

Key Network Security Components:

Security Groups: Instance-level, stateful, allow-only.
Network ACLs: Subnet-level, stateless, allow/deny, rule order matters.
AWS Network Firewall: VPC-level, deep packet inspection, intrusion prevention.
AWS WAF: Application-layer, web exploits.
AWS Shield: DDoS protection.

Scenario: A DevOps team is deploying a new public-facing web application that needs to be protected from common web exploits (SQL injection), DDoS attacks, and granularly control inbound/outbound traffic to its EC2 instances and subnets.

Reflection Question: How would you combine Security Groups, Network ACLs, AWS WAF, and AWS Shield to create a multi-layered network security posture for this application, ensuring protection at various points of traffic flow?

These components work together to create a layered defense, ensuring traffic is inspected and filtered at multiple points before reaching your applications.

💡 Tip: Remember that Network ACLs are evaluated before Security Groups for inbound traffic, and after Security Groups for outbound traffic.