Network Security Controls
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.
Included in this chapter:
- Stateful vs stateless: the model behind every control
- AWS Network Firewall: when SGs and NACLs run out
- Hybrid connectivity: VPN, Direct Connect, and MACsec
- Zero-trust app access with AWS Verified Access
- Segmentation: subnets, route domains, and PrivateLink
- Proving least access: Network Access Analyzer and Inspector
Network traffic controls compared
| Property | Security group | Network ACL | AWS Network Firewall |
|---|---|---|---|
| Attaches to | ENI (instance/LB/endpoint) | Subnet | Firewall endpoint in firewall subnet |
| State | Stateful (return traffic auto-allowed) | Stateless (each direction needs a rule) | Stateful with Suricata flow tracking |
| Rule types | Allow only | Allow and deny, numbered order | Allow, deny, and alert; stateless + stateful groups |
| Filters on | IP, port, protocol | IP, port, protocol | IP, port, protocol, FQDN, deep packet inspection |
| Ephemeral ports | Handled automatically | Must open 1024-65535 for return | Tracked by the flow table |
| Typical use | Per-resource allowlist | Subnet-edge coarse deny or defense in depth | Central egress/FQDN filtering and IPS |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
- CLF-C02 AWS Certified Cloud Practitioner
- SAA-C03 AWS Certified Solutions Architect – Associate
- SAP-C02 AWS Certified Solutions Architect - Professional
- SAP-C02 AWS Certified Solutions Architect - Professional
- AZ-104 Microsoft Azure Administrator
- SY0-701 CompTIA Security+
- CISSP Certified Information Systems Security Professional