gosphotodesign - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

AWS security groups vs. network ACLs and other AWS firewalls

Protect your AWS cloud environment with these Amazon firewall services. Learn how security groups and network ACLs work, along with other key AWS firewall options.

When you deploy cloud infrastructure and build an environment for your business, it is important to develop and implement proper security measures at the same time.

Due to AWS' shared security model, you can offload some of this security burden when you work with Amazon's cloud. AWS maintains security of its overall cloud infrastructure, while users are responsible for securing their data and applications in AWS. To deploy the appropriate protection of your data and applications, you have to understand AWS' security tools and services, such as security groups, network access control lists (ACLs), AWS Web Application Firewall (AWS WAF) and AWS Shield. This article will break down these security services and provide some strategies to help defend your cloud environment from undesired access.

AWS firewalls

Let's compare the various AWS firewall capabilities -- most notably AWS security groups vs. network ACLs, and AWS Shield vs. AWS WAF.

AWS security groups

A security group is a virtual firewall designed to protect AWS instances. It sits in front of designated instances and can be applied to EC2, Elastic Load Balancing (ELB) and Amazon Relational Database Service, among others. Security groups have distinctive rules for inbound and outbound traffic. The groups allow all outbound traffic by default and deny any traffic not expressly allowed. Security groups are also stateful, so all outbound traffic will be allowed back in.

AWS security groups are an easy-to-use defense against intrusion. To allow inbound access to your instances, simply add the IP as a rule, and you're ready to go.

AWS network ACLs

Network ACLs differ from security groups in several ways. First, network ACLs do not protect individual instances; they cover entire subnets. Network ACLs provide wide net protection that can encompass lots of resources at the same time. They are stateless and require you to clearly and properly define rules for both inbound and outbound traffic; otherwise, you might have connection issues within your environment.

When it comes to AWS security groups vs. network ACLs, the latter are great for tightening the overall security of a logical section in your infrastructure. For example, one may have access to your development subnet, but your production subnet access will be much more strict. Also, some network familiarity is necessary, since network ACLs are not as easy to work with. The default network ACL on AWS allows all traffic to go through.


AWS WAF is a firewall that protects your applications by allowing or blocking specific access, and also by stopping common attack patterns. You can define various customizable security rules through the service. For example, you can block a request originating from a specific country or one in which the header matches a desired set of external request patterns. WAF is commonly used with Application Load Balancing, Amazon CloudFront and API Gateway, among others.

AWS Shield

AWS Shield is a managed service designed to protect you from distributed denial of service (DDoS) attacks. AWS Shield offers two service tiers -- its free Standard infrastructure network and transport layer protection and its paid Advanced service, which includes more detailed protection, integration with AWS WAF and access to a 24/7 AWS DDoS response team.

AWS Firewall Manager

AWS Firewall Manager is a tool with which you can centralize security rules. It works with both AWS WAF and Shield and is designed to support multiple AWS accounts through its integration with AWS Organizations. With Firewall Manager, you can deploy new rules across multiple AWS environments instead of having to manually configure everything.

How to set an AWS firewall strategy

Now that you're familiar with the basics of AWS security groups vs. network ACLs and the other AWS firewall options, it's time to come up with a firewall security strategy. There are multiple issues to consider. Not only do you want to prevent undesired exploits from reaching your servers, you also want to create a system that catches this unwanted traffic as soon as possible.

Unwanted traffic will first hit your environment's border firewall -- this can be a WAF or a security group in front of an ELB -- before penetrating your environment, going through your subnets, and ultimately reaching your instances. Set your firewalls to allow only necessary traffic inside your AWS environment and block everything else. And think carefully about where to place your firewalls and their respective rules.

For example, if you place your firewall rules in front of your EC2 instance, malicious traffic will still be allowed to enter your cloud environment. Your internal network can suffer the full force of the attack, causing issues with your infrastructure, which will damage your business. It is critical to consider your cloud architecture and implement detailed security measures at multiple layers to prevent this.

In addition, you must control not only your data ingress, but your data egress as well. A network address translation gateway can come in handy here since it can initiate a connection between a private subnet and the public internet, without allowing the internet to initiate any connection to your instances. VPC Flow Logs can also be helpful, since this enables visibility into unauthorized -- and authorized, when necessary -- network connections.

You should also consider host-based options. Even though Amazon services provide some protection, you can strengthen overall security by running iptables or third-party Intrusion Detection and Intrusion Prevention systems from providers such as Trend Micro and Alert Logic.

Next Steps

How to create Amazon EC2 security groups

Dig Deeper on AWS security