AWS Security Components: Security Groups vs Network ACLs, WAF, Trusted Advisor
AWS gives you a layered set of security components, and CLF-C02 expects you to know exactly what each one does and where it sits. The single most-tested comparison in this area is security group vs network ACL: one is a stateful firewall at the instance level, the other a stateless filter at the subnet level, and the exam probes that distinction relentlessly. Above both sits AWS WAF, a web application firewall that inspects HTTP(S) traffic at layer 7 to block attacks like SQL injection and cross-site scripting. When AWS-native tools are not enough, AWS Marketplace offers third-party security products from established vendors. And when you need answers or a health check, AWS publishes security guidance through the Knowledge Center, the Security Blog, and its security resource pages, while AWS Trusted Advisor automatically scans your account for risky configurations. This lesson covers every one of these components — what it is, what layer it protects, and how the exam tests it.
On this page8 sections
- One goal, three layers: where each security component sits
- Security groups: stateful firewalls at the instance level
- Network ACLs: stateless guardrails at the subnet level
- Security group vs network ACL: the comparison you must memorize
- AWS WAF: protecting web applications at layer 7
- Third-party security products on AWS Marketplace
- Where to find AWS security information
- AWS Trusted Advisor: finding security issues before attackers do
- Compare security groups and network ACLs across scope, statefulness, rule types, evaluation order, and defaults
- Describe what AWS WAF protects against and which resources a web ACL can attach to
- Identify AWS Marketplace as the source for third-party security products and name common categories
- Locate AWS security information in the Knowledge Center, AWS security resources, and the AWS Security Blog
- Explain how AWS Trusted Advisor security checks identify issues such as open security groups and missing root MFA
- Choose the correct control — security group, network ACL, or AWS WAF — for a given threat scenario
One goal, three layers: where each security component sits
Every component in this task answers the same question — "how do I control what reaches my resources?" — but each answers it at a different layer. Network ACLs stand at the edge of a subnet and filter traffic entering or leaving that entire network segment. Security groups wrap an individual instance (technically its elastic network interface) and decide which connections may reach that specific resource. AWS WAF operates higher still, at layer 7 of the OSI model, reading the content of HTTP and HTTPS requests to spot malicious patterns that a port-based firewall can never see.
Keeping the layers straight is the fastest way to answer exam questions. A packet destined for an EC2 instance in a VPC crosses the network ACL at the subnet boundary first, then the security group at the instance. If the application sits behind CloudFront or an Application Load Balancer with AWS WAF attached, the request is inspected at that entry point before it ever travels toward the subnet.
Use this decision list when a question describes a threat and asks for the right control:
- Block or allow traffic to one instance by port, protocol, or source → security group.
- Block a specific IP range from an entire subnet, or add an explicit deny → network ACL.
- Stop SQL injection, cross-site scripting, or other malicious web requests → AWS WAF.
- Need a capability AWS does not provide natively (for example, a specific vendor's firewall) → AWS Marketplace.
- Find out whether your account already has risky settings → AWS Trusted Advisor.
The rest of this lesson works through each layer in exam-level depth.
Security groups: stateful firewalls at the instance level
A security group is a virtual firewall that controls inbound and outbound traffic for the resources it is attached to — EC2 instances, RDS databases, load balancers, and other resources with an elastic network interface. It operates at the instance (ENI) level, not the subnet level, so two instances in the same subnet can have completely different security groups and therefore completely different exposure.
Security groups are stateful. If you allow inbound traffic on port 443, the response traffic for that connection is automatically allowed back out — you never write a rule for return traffic. The same applies in reverse: if an instance initiates an outbound request, the reply is allowed in regardless of inbound rules. Statefulness is the number-one fact the exam checks, usually by contrasting it with the stateless behavior of network ACLs.
Security groups support allow rules only. There is no deny rule; anything not explicitly allowed is implicitly denied. Because there are no denies, there is no rule ordering to resolve — AWS evaluates all rules before deciding whether to permit traffic. A new security group starts with no inbound rules (all inbound traffic implicitly denied) and an outbound rule allowing all traffic, which you can tighten.
Two practical features are worth knowing at a foundational level. First, a rule's source can be another security group, not just an IP range — for example, "allow port 3306 only from the web-tier security group," which keeps working even as instances change addresses. Second, rule changes take effect immediately on every attached resource, making security groups the day-to-day tool for controlling instance access.
Network ACLs: stateless guardrails at the subnet level
A network access control list (network ACL, or NACL) is an optional layer of security that filters traffic at the subnet boundary. Every subnet in a VPC is associated with exactly one network ACL, and that ACL applies to all traffic entering or leaving the subnet — every instance inside inherits it automatically, whether or not its security group would have allowed the traffic.
Network ACLs are stateless: they do not track connections. If you allow inbound HTTPS on port 443, the response leaving the subnet is a separate event that must match an explicit outbound rule — typically one covering the ephemeral port range that clients use for return traffic. Forgetting the return-path rule is the classic real-world NACL mistake, and "stateless — return traffic must be explicitly allowed" is the exact phrase to anchor for the exam.
Unlike security groups, network ACLs support both allow and deny rules. This makes the NACL the only VPC-native way to explicitly block traffic — for example, denying a known-malicious IP range before it reaches anything in the subnet. Rules are numbered, and AWS evaluates them in ascending number order, applying the first rule that matches and ignoring the rest. Every NACL ends with an unnumbered rule that denies anything no other rule matched.
Defaults matter on the exam: the default network ACL that comes with your VPC allows all inbound and outbound traffic, so subnets are open at the NACL layer until you change it. A custom network ACL you create starts the opposite way — it denies everything until you add allow rules. Think of NACLs as a coarse subnet-wide guardrail and security groups as the fine-grained per-instance control.
Security group vs network ACL: the comparison you must memorize
This table is one of the highest-yield pieces of content on the entire CLF-C02 exam. Questions quote one row and ask you to identify which component it describes, or present a scenario whose answer hinges on a single row.
| Attribute | Security group | Network ACL |
|---|---|---|
| Operates at | Instance (ENI) level | Subnet level |
| State | Stateful — return traffic automatically allowed | Stateless — return traffic needs explicit rules |
| Rule types | Allow rules only | Allow and deny rules |
| Evaluation | All rules evaluated before deciding | Rules processed in number order; first match wins |
| Default behavior | New group: deny all inbound, allow all outbound | Default NACL allows all traffic; custom NACL denies all until rules are added |
| Applies to | Only resources it is explicitly attached to | Every resource in the associated subnet |
A few reasoning shortcuts follow directly from the table. If a question mentions blocking a specific IP address or range, the answer is the network ACL, because security groups cannot deny. If a question mentions return traffic being allowed "automatically," it is describing a security group. If a rule change must affect every instance in a subnet at once, that is the NACL; if it should affect only one instance, that is the security group.
Remember that the two are complementary, not alternatives. Defense in depth means traffic must pass both: the NACL at the subnet edge and the security group at the instance. A permissive default NACL with tight security groups is the common baseline; adding NACL deny rules hardens the subnet further.
AWS WAF: protecting web applications at layer 7
AWS WAF is a web application firewall. Where security groups and network ACLs make decisions from network-level facts — IP addresses, ports, protocols — AWS WAF inspects the content of HTTP and HTTPS requests: URIs, query strings, headers, cookies, and body. That layer-7 visibility is what lets it catch application attacks such as SQL injection (malicious database commands smuggled inside request parameters) and cross-site scripting (XSS) (malicious scripts injected into pages served to other users). A port-based firewall must allow port 443 for a public website, so these attacks sail straight through it; only a layer-7 inspector can tell a legitimate request from a hostile one on the same port.
You configure AWS WAF by creating a web ACL — a collection of rules that allow, block, or count matching requests. Rules can match attack signatures, rate-limit aggressive clients, filter by originating IP or country, and more. AWS and Marketplace sellers publish managed rule groups — pre-built, maintained rule sets for common threats — so you get protection without writing rules from scratch.
A web ACL attaches to the resources that terminate web traffic: Amazon CloudFront distributions, Application Load Balancers, and Amazon API Gateway APIs are the three to memorize, and AWS WAF also supports services such as AWS AppSync and Amazon Cognito user pools. Attaching WAF to CloudFront blocks bad requests at AWS edge locations, before they reach your infrastructure at all.
Keep the boundary with sibling topics clear: AWS WAF filters malicious request content; AWS Shield, covered under protection services elsewhere in this domain, addresses DDoS floods. On the exam, "SQL injection" or "cross-site scripting" in the question stem points to AWS WAF, full stop.
Third-party security products on AWS Marketplace
AWS's native tools do not cover every security need, and the exam wants you to know where to turn when they do not: AWS Marketplace, the curated digital catalog where independent software vendors list products that run on or integrate with AWS. Its security category includes thousands of offerings from established security companies as well as specialized vendors.
Typical categories you might see named in an exam option include next-generation firewalls and network security appliances (often delivered as Amazon Machine Images you launch into your VPC), endpoint protection and anti-malware agents for your instances, SIEM and log-analysis platforms, vulnerability scanners, and governance and compliance tools. Many WAF vendors also publish managed rule groups for AWS WAF through the Marketplace, layering third-party threat intelligence onto the native service.
The commercial model is part of the exam-relevant story. Marketplace products can be offered with free trials, pay-as-you-go (hourly or usage-based) pricing, annual subscriptions, or bring-your-own-license (BYOL) terms, and charges appear on your regular AWS bill — no separate vendor procurement cycle. Deployment is similarly streamlined: many products launch in minutes from a pre-configured image or SaaS listing.
For CLF-C02 you do not need vendor names or configuration detail. You need one recognition-level fact: when a question says an organization wants to use a third-party security product — its existing firewall vendor in the cloud, a commercial SIEM, an endpoint agent — the answer that sources and licenses it is AWS Marketplace.
Where to find AWS security information
Task 2.4 explicitly tests whether you know where AWS publishes security information, and the exam names the sources directly. Learn what each one is for, because questions describe a need — "a quick answer to a common question," "announcements of new security features" — and ask which resource fits.
The AWS Knowledge Center is a library of answers to the questions customers most frequently ask AWS Support, written in a question-and-answer format and now hosted on AWS re:Post, AWS's community Q&A site. When you need a short, practical answer — "how do I make my S3 bucket private?" — the Knowledge Center is the fit. It covers all of AWS, with a substantial security-focused section.
The AWS Security Blog is where AWS announces new security features and services, publishes deep-dive walkthroughs, and shares best-practice guidance from AWS security engineers. If a question describes staying current with security announcements or reading detailed how-to articles, the Security Blog is the answer.
What the exam guide calls the AWS Security Center corresponds to AWS's central security resource pages — the AWS Cloud Security site and its documentation hub. This is the umbrella destination for security whitepapers, best-practice guides, compliance information, and security bulletins, AWS's published advisories about vulnerabilities that may affect AWS services or customer workloads. Each individual service also has security-specific chapters in its own documentation.
Finally, know at a sentence's depth that AWS provides channels to report abuse — if you observe AWS resources being used for attacks, spam, or malware, you can report it to the AWS Trust & Safety team via the abuse reporting form.
AWS Trusted Advisor: finding security issues before attackers do
The final skill in this task is using AWS services to identify security issues, and the named example is AWS Trusted Advisor. Trusted Advisor continuously inspects your account and compares your configuration against AWS best practices, producing checks across several categories: cost optimization, performance, security, fault tolerance, service limits, and operational excellence. For this task, the security category is the star.
Security checks flag concrete, high-risk misconfigurations. The classics to remember: security groups with unrestricted access (rules open to 0.0.0.0/0 on risky ports), Amazon S3 buckets with open access permissions, MFA not enabled on the root account, IAM use (encouraging you to work through IAM identities rather than root), and publicly accessible EBS or RDS snapshots. Each finding is color-coded — green for no problem, yellow for investigation recommended, red for action recommended — so you triage at a glance.
The tiering rule is a reliable exam target: a core set of checks, including key security checks, is free for every AWS account, while the full set of checks unlocks with Business, Enterprise On-Ramp, or Enterprise Support plans. Note the framing that distinguishes it from sibling topics: Trusted Advisor is a best-practice configuration checker across cost, performance, and security alike — it is not a threat-detection or vulnerability-scanning service (those belong to other task statements).
Now assemble the whole toolkit around one scenario. You run a public web application: an ALB in front of EC2 instances, with a database tier behind them. You attach AWS WAF to the ALB (or a CloudFront distribution in front of it) to block SQL injection and XSS at the edge. Security groups allow only the ALB to reach the web instances on port 443, and only the web tier's security group to reach the database on its port. A network ACL on the database subnet adds a stateless guardrail and denies a hostile IP range outright. Your team's preferred IDS appliance comes from AWS Marketplace. Trusted Advisor then confirms nothing was left open, and the Security Blog and Knowledge Center keep the team current. Five components, five layers, one defense-in-depth story — exactly how the exam expects you to connect them.
Tip. CLF-C02 tests this task mostly through the security group vs network ACL comparison: expect items quoting one attribute — stateful vs stateless, instance vs subnet level, allow-only vs allow-and-deny, all-rules vs numbered first-match evaluation — and asking which component it describes, or scenarios like blocking an IP range (NACL) versus permitting one instance's port (security group). AWS WAF appears whenever a stem mentions SQL injection, cross-site scripting, or filtering HTTP requests on CloudFront, ALB, or API Gateway. Trusted Advisor questions hinge on it being the service that checks accounts against best practices, flagging open security groups, public S3 buckets, and missing root MFA, with core checks free and the full set requiring Business or Enterprise support. Finally, matching items pair a need with a resource: quick FAQ-style answers with the AWS Knowledge Center, feature announcements with the AWS Security Blog, and third-party security products with AWS Marketplace.
- Security groups are stateful instance-level firewalls with allow rules only; all rules are evaluated together.
- Network ACLs are stateless subnet-level filters with allow AND deny rules, evaluated in number order, first match wins.
- The default network ACL allows all traffic; a custom network ACL denies all traffic until you add rules.
- Only a network ACL can explicitly DENY traffic — blocking a specific IP range points to the NACL.
- AWS WAF is a layer-7 web application firewall: web ACLs on CloudFront, ALB, or API Gateway block SQL injection and XSS.
- Third-party security products (firewalls, endpoint protection, SIEM) come from AWS Marketplace, billed through your AWS bill.
- AWS Trusted Advisor security checks flag open security groups, public S3 buckets, and missing root MFA; core checks are free, the full set needs Business or Enterprise support.
- Quick answers → AWS Knowledge Center; announcements and deep dives → AWS Security Blog; whitepapers and bulletins → AWS security resource pages.
Frequently asked questions
What is the difference between a security group and a network ACL in AWS?
A security group is a stateful virtual firewall at the instance (network interface) level: it supports allow rules only, evaluates all rules before deciding, and automatically permits return traffic for allowed connections. A network ACL is a stateless filter at the subnet level: it supports both allow and deny rules, processes them in number order applying the first match, and requires explicit rules for return traffic. Traffic entering a subnet must pass the network ACL first, then the security group of the target instance. Use security groups for fine-grained per-resource control and network ACLs as a subnet-wide guardrail or to explicitly block IP ranges.
Is a security group stateful or stateless?
Security groups are stateful. When a security group allows a connection in one direction, the response traffic for that connection is automatically allowed in the other direction — you never write rules for return traffic. This is the opposite of network ACLs, which are stateless: they evaluate every packet independently, so return traffic must be explicitly permitted by outbound rules, typically covering the ephemeral port range. On the CLF-C02 exam, "stateful" is the keyword that identifies a security group and "stateless" identifies a network ACL.
What does AWS WAF protect against?
AWS WAF protects web applications against attacks carried inside HTTP and HTTPS requests — layer 7 of the OSI model. The two examples to know are SQL injection, where malicious database commands are hidden in request parameters, and cross-site scripting (XSS), where attackers inject scripts into pages served to other users. You define rules in a web ACL that allow, block, or count matching requests, and can add AWS managed rule groups for common threats. The web ACL attaches to Amazon CloudFront, an Application Load Balancer, or Amazon API Gateway, filtering requests before they reach your application.
Is AWS Trusted Advisor free to use?
Partially. Every AWS account gets a core set of Trusted Advisor checks at no charge, and that core set includes key security checks such as specific security groups with unrestricted access, S3 bucket permissions, MFA on the root account, and IAM use, plus service limit checks. The full catalog of checks across all categories — cost optimization, performance, security, fault tolerance, service limits, and operational excellence — requires a Business, Enterprise On-Ramp, or Enterprise Support plan. For the exam, remember: some security checks free for everyone, all checks with higher-tier support.
Can I buy third-party security software on AWS Marketplace?
Yes. AWS Marketplace is AWS's curated digital catalog of third-party software, and security is one of its largest categories. You can find firewalls and network security appliances, endpoint protection agents, SIEM and log-analysis platforms, vulnerability scanners, compliance tools, and managed rule groups for AWS WAF. Products are offered with flexible terms — free trials, pay-as-you-go pricing, annual subscriptions, or bring-your-own-license — and charges are consolidated onto your regular AWS bill. Many products deploy in minutes as pre-configured machine images or SaaS subscriptions.
Where can I find AWS security best practices and announcements?
Three official sources cover most needs. The AWS Knowledge Center, hosted on AWS re:Post, gives short question-and-answer style solutions to the questions customers most often ask AWS Support. The AWS Security Blog publishes announcements of new security features plus in-depth best-practice articles from AWS security engineers. AWS's central security resource pages (the AWS Cloud Security site and security documentation) collect whitepapers, compliance information, and security bulletins about vulnerabilities affecting AWS services. Each AWS service's own documentation also includes a dedicated security chapter.
Sign up free to mark lessons complete, bookmark topics and track your exam readiness.