1. VPC Network ACLs (NACLs)

Control inbound and outbound traffic to and from subnets in a VPC.

1. It operates at Layer 3 (Network) and Layer 4 (Transport)
2. There are two Types of it.
   • Inbound ACL: Specifies which traffic can enter the subnet.
   • Outbound ACL: Specifies which traffic can leave the subnet.:
3. Key Features
   • Stateless: Each request is evaluated individually, so responses must also be explicitly allowed.
   • Rule Order: Rules are evaluated in the order they are listed, and the first matching rule is applied.
4. When to Use
   • Use VPC NACLs for controlling network traffic at the subnet level, especially for use cases where stateless filtering is required, or to provide an additional layer of security for your VPC.

2. S3 ACLs

There are two main types of ACLs to control access to Amazon S3 buckets and objects:

1. Bucket ACLs – Specify permissions for the S3 bucket itself.
2. Object ACLs – Specify permissions for individual objects within a bucket.

3. AWS WAF Web ACLs

Control and filter HTTP and HTTPS requests to web applications.

1. Operates at Layer 7 (Application layer)
2. Supports allow, block, and count actions
3. Can filter traffic based on: IP addresses, HTTP headers, URI strings and SQL injection and XSS patterns

When to Use

1. To protect web applications from common web attacks
2. To block malicious IPs or bots
3. To implement rate limiting and request filtering

4. Difference between Security Groups and NACL

In AWS VPC, Security Groups and Network ACLs

• Both act as virtual firewalls.
• Both operate at Layer 3 (Network Layer) and Layer 4 (Transport Layer) of the OSI model. They filter traffic based on IP addresses (Layer 3) and ports/protocols (Layer 4).

1. Security Groups
   • Security Groups operate at the instance level and are stateful, which means if inbound traffic is allowed, the return traffic is automatically allowed.
   • They support allow rules only, and all rules are evaluated together, instead in order.
   • Because of this simplicity and flexibility, Security Groups are the primary and recommended way to control access to EC2 instances.
2. Network ACL
   • Network ACLs operate at the subnet level and are stateless, which means you must explicitly allow both inbound and outbound traffic. NACLs support both allow and deny rules, and rules are processed sequentially based on rule number.
   • NACLs act as the first line of defense by filtering traffic at the subnet boundary before it reaches the instances and their Security Groups.

In practice, Security Groups are used for fine-grained instance protection, while NACLs are used for broad, subnet-level controls. Together, they provide layered security in a VPC.

5. EFS Access Control

Amazon EFS access can be controlled using two main mechanisms:

1. POSIX ACLs – traditional file system permissions for files and directories, based on users and groups.
2. EFS Access Points – entry points into an EFS file system with enforced permissions and user/group context.

6.Question

A company runs multiple applications on Amazon EC2 instances in a VPC. Application A runs in a private subnet that has a custom route table and network ACL. Application B runs in a second private subnet in the same VPC.

The company needs to prevent Application A from sending traffic to Application B.

Which solution will meet this requirement?

1. Add a deny outbound rule to a security group that is associated with Application A. Configure the rule to prevent Application B from sending traffic to Application A.
2. Add a deny outbound rule to a security group that is associated with Application A. Configure the rule to prevent Application A from sending traffic to Application B.
3. Add a deny outbound rule to the custom network ACL for the Application B subnet. Configure the rule to prevent Application B from sending traffic to IP addresses that are associated with the Application A subnet.
4. Add a deny outbound rule to the custom network ACL for the Application A subnet. Configure the rule to prevent Application A from sending traffic to IP addresses that are associated with the Application B subnet.

Answer: 4

Explanation:

1. Security groups cannot have deny rules and are stateful, so options A and B are invalid.
2. Network ACLs are stateless and support deny rules, making them suitable for explicitly blocking traffic.
3. Option 3 denies outbound traffic from Application B, which is the wrong direction. The requirement is not about stopping B → A, but A → B.
4. Adding the deny rule on the Application A subnet effectively prevents traffic from leaving Application A toward Application B, meeting the requirement.