Security groups are stateful firewalls at the instance/ENI level. Network ACLs (NACLs) are stateless subnet-level filters—use SGs for most rules; NACLs for coarse subnet guardrails.
Security group rules
- Inbound — allow SSH (22) only from your IP for learning
- Outbound — often all traffic allowed by default
- Stateful — return traffic automatically allowed
- Reference other SGs (e.g. ALB SG → app SG on port 8000)
NACL basics
Numbered rules, evaluated in order, stateless—must allow return traffic explicitly. Default VPC NACL allows all; custom deny rules can block IP ranges at subnet edge.
List security groups
aws ec2 describe-security-groups \
--query 'SecurityGroups[].{Id:GroupId,Name:GroupName,VpcId:VpcId}' \
--output tablePractice: Create S3 buckets and VPC resources only in a sandbox account. Use unique bucket names globally; delete buckets and empty objects when finished.
Least exposure
Never open SSH (22) or RDP (3389) to 0.0.0.0/0 in production. Use Session Manager or bastion with tight SG rules. See Cybersecurity for hardening patterns.
Important interview questions and answers
- Q: Stateful vs stateless?
A: SG tracks connection state; NACL does not—return paths need explicit allow in NACL. - Q: SG vs NACL scope?
A: SG attaches to ENI/instance; NACL attaches to subnet.
Self-check
- Why restrict SSH to your IP instead of 0.0.0.0/0?
- What does stateful mean for a security group?
Pitfall: Confusing stateful SG with stateless NACL—return traffic rules differ.
Interview prep
- Stateful SG?
Return traffic automatically allowed for established connections.
- SSH best practice?
Restrict port 22 to known IPs—never 0.0.0.0/0 in production.