Security group是作用在instance 等級 (只管理允許)
Security group 與 instance 是多對1, 一台instance可以同時屬於多個security group方便套用規則, 讓每個security group規則盡量簡單.
Security Group of EC2-Classic只能管進, VPC內可管進出.
Network ACL是作用在subnet等級的虛擬防火牆 (可以管理進出), 按照順序, 第一個符合即決斷.
| Security Group | Network ACL |
|---|---|
|
Operates at the instance level (first layer of defense) |
Operates at the subnet level (second layer of defense) |
|
Supports allow rules only |
Supports allow rules and deny rules |
|
Is stateful: Return traffic is auwtomatically allowed, regardless of any rules |
Is stateless: Return traffic must be explicitly allowed by rules |
|
We evaluate all rules before deciding whether to allow traffic |
We process rules in number order when deciding whether to allow traffic |
|
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on |
Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group) |
非常清楚的示意圖:
可以開一個IAM Role用來管理 VPC, 根據Policy最小可以鎖到Resource level,
幾乎VPC相關的所有action都能夠鎖, 例如只允許開機器在某一個subnet.
切割出一個dev/test subnet並且提供dev account和 test account不同的權限.
沒有留言:
張貼留言