This course introduces the AWS Network and Application Protection services relevant to the AWS Certified Security - Specialty (SCS-C02) exam.
- Describe how to implement authorization controls via network access control lists (NACLs) and security groups
- Understand the process of securing network connectivity and data in transit with encryption
- Implement secure connections to AWS using VPNs and Direct connect
- Explain how to use AWS Network Firewall and AWS Firewall Manager to secure VPCs
- Understand how AWS WAF and Shield can be used to protect web applications
- Describe how to leverage Amazon CloudFront and Amazon Route 53 when securing connections to web applications
If you have been working with VPCs for any length of time then you would have come across AWS Network Access Control Lists, also known as NACLs, and these can be considered a way of authorizing network packets to enter and leave different parts of your VPC. Operating the Network layer, NACLs provide a rule-based security feature for permitting ingress and egress network traffic at the protocol and subnet level. In other words, ACLs monitor and filter traffic moving in and out of your subnet, either allowing or denying access dependent on rule permissions.
NACLs can be attached to one or more subnets within your virtual private cloud. If you haven't created a custom NACL, then your subnets will automatically be associated with your VPC's default NACL, and in this instance, the default allows all traffic to flow in and out of the network, as opposed to denying it.
The rule set itself is very simple, and has both an inbound and outbound list of rules, and these rules are comprised of just six different fields; these being
- Rule Number: ACL rules are read in ascending order, and as soon as a network packet is received, it reads each rule in ascending order until a match is found. For this reason, you'll want to carefully sequence your rules with an organized numbering system. I would suggest that you leave a gap of at least 50 between each of your rules to allow you to easily add new rules in sequence later if it becomes necessary.
- Type: this dropdown list allows you to select from a list of common protocol types, including SSH, RDP, HTTP, and POP3. You can alternatively specify custom protocols, such as varieties of ICMP.
- Protocol: based on your choice of ‘Type’, the protocol option might be grayed out. For custom rules like TCP and UDP, however, you should provide a value.
- Port Range: If you create a custom rule, you'll need to specify the port range for the protocol to use.
- Source: this can be a net or a subnet range, a specific IP address, or even left open to traffic from anywhere.
- Allow/Deny: Each rule must include an action specifying whether to Allow or Deny the traffic that meets the parameters of the rule.
So NACLs are not used to authorize an identity as such, instead, they are used to effectively authorize the network packet itself to enter or leave a specific subnet. It's important to note that NACLs are stateless. Therefore, when creating your rules, you'll need to apply an outbound reply rule to permit responses to inbound requests.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.