Network ACLs (NACLs) versus Security Groups (SGs) [Cheat Sheet]

Security Groups (SGs) and NACLs in AWS cheat sheet

To control the flow of data in and out of your VPCs and Subnets in AWS, you can use Network Access Control Lists (NACLs), Security Groups (SGs), or both.

But when should you use which? Let’s take a quick look.

Keeping threats out

As a general rule of thumb, you should always use Security Groups. They’re applied directly to hosts, like web servers or database instances, which means they’re one of the last layers of defense.

With that said, you typically want to block threats as far away from your important resources/data as you can. So ideally, you’d want to block threats before they even get near your hosts. That’s where NACLs step in because they’re applied at the subnet level and they can look at every request going in or out of a subnet.

That means NACLs can block broad ranges of sources/destinations that you know should never be allowed in or out of a subnet, while SGs can block with much more specificity depending on the resource they’re designed to protect.

Containing threats

Oftentimes, people talk about keeping threats outside of the VPC using these security controls, but what if a threat makes it through? You can also use these controls for containment and isolation:

  • Amazon VPCs provide network isolation for a group of subnets
  • NACLs provide subnet-based containment
  • Security groups provide host-based containment

This cheat sheet explains that and a lot more, so save it as a reference guide!

NACLs vs Security Groups Cheat Sheet from Cybr

There’s a lot more to security groups and NACLs. If you’d like to learn more, check out our Introduction to AWS Security course!

Want more cheat sheets like this? Check them out here.

Related Articles


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.