1. S3 ACLs

There are two main types of ACLs to control access to Amazon S3 buckets and objects:

1. Bucket ACLs – Specify permissions for the S3 bucket itself.
2. Object ACLs – Specify permissions for individual objects within a bucket.

2. VPC Network ACLs (NACLs)

Control inbound and outbound traffic to and from subnets in a VPC (Virtual Private Cloud). There are two Types of it.

1. Inbound ACL: Specifies which traffic can enter the subnet.
2. Outbound ACL: Specifies which traffic can leave the subnet.:

Key Features

1. Stateless: Each request is evaluated individually, so responses must also be explicitly allowed.
2. Rule Order: Rules are evaluated in the order they are listed, and the first matching rule is applied.

When to Use

Use VPC NACLs for controlling network traffic at the subnet level, especially for use cases where stateless filtering is required, or to provide an additional layer of security for your VPC.

3. EFS Access Control:

Amazon EFS access can be controlled using two main mechanisms:

1. POSIX ACLs – traditional file system permissions for files and directories, based on users and groups.
2. EFS Access Points – entry points into an EFS file system with enforced permissions and user/group context.

4. SQS Queue ACLs

1. Control who can send or receive messages from an SQS (Simple Queue Service) queue.
2. Use SQS ACLs when you need to control access to your SQS queues, especially when sharing queues across AWS accounts.

5. Difference between Security Groups and NACL

1. Security Groups: Stateful, applied at the instance level, evaluates rules cumulatively, and only allows traffic (no explicit deny).
2. Network ACLs (NACLs): Stateless, applied at the subnet level, evaluates rules sequentially, and can allow or deny traffic.
3. Use Case: Security Groups control instance access, while NACLs provide broader traffic filtering at the subnet level.

Question: A company runs multiple applications on Amazon EC2 instances in a VPC. Application A runs in a private subnet that has a custom route table and network ACL. Application B runs in a second private subnet in the same VPC.

The company needs to prevent Application A from sending traffic to Application B.

Which solution will meet this requirement?

1. Add a deny outbound rule to a security group that is associated with Application A. Configure the rule to prevent Application B from sending traffic to Application A.
2. Add a deny outbound rule to a security group that is associated with Application A. Configure the rule to prevent Application A from sending traffic to Application B.
3. Add a deny outbound rule to the custom network ACL for the Application B subnet. Configure the rule to prevent Application B from sending traffic to IP addresses that are associated with the Application A subnet.
4. Add a deny outbound rule to the custom network ACL for the Application A subnet. Configure the rule to prevent Application A from sending traffic to IP addresses that are associated with the Application B subnet.

Answer:

4. Add a deny outbound rule to the custom network ACL for the Application A subnet. Configure the rule to prevent Application A from sending traffic to IP addresses that are associated with the Application B subnet.

Explanation:

1. Security groups cannot have deny rules and are stateful, so options A and B are invalid.
2. Network ACLs are stateless and support deny rules, making them suitable for explicitly blocking traffic.
3. Adding the deny rule on the Application A subnet effectively prevents traffic from leaving Application A toward Application B, meeting the requirement.