AWS CSA-A A deeper look into Security Groups

---

In the AWS Certified Solutions Architect - Associate (SAA-CO2) course when looking at the lesson of Compute > Security Groups > A deeper look. The instructor talks about letting traffic out of an instance by adding an outbound rule. If you are running a MySQL, then you have to add both the inbound rule and the outbound rule for MySQL.
My understanding is that Security Groups are Stateful - meaning that if you allow something in, then it will automatically allow traffic out, as long as its the same request.
The Stateless part are network ACLs - where you would need to specify in both directions.

I think that I am right - from the documentation from AWS:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
"Security groups are stateful. For example, if you send a request from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules. Responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules."

However, just wanted to make sure that I'm not missing something here?

@Daniel-Chambers , I hope all is well. Yes, you are correct. Take a look at the following chart, if you have not already found it on your own, as it provides a great summary of the differences between Security Groups & Network ACLs.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

If you have any other questions, please be in touch as needed.

Good Luck !!!

Cheers,

Adam

@daniel-chambers said in AWS CSA-A A deeper look into Security Groups:

In the AWS Certified Solutions Architect - Associate (SAA-CO2) course when looking at the lesson of Compute > Security Groups > A deeper look. The instructor talks about letting traffic out of an instance by adding an outbound rule. If you are running a MySQL, then you have to add both the inbound rule and the outbound rule for MySQL.
My understanding is that Security Groups are Stateful - meaning that if you allow something in, then it will automatically allow traffic out, as long as its the same request.
The Stateless part are network ACLs - where you would need to specify in both directions.

I think that I am right - from the documentation from AWS:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
"Security groups are stateful. For example, if you send a request from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules. Responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules."

However, just wanted to make sure that I'm not missing something here?

I'm not sure of the entire of the thing but a little further down in the link that you provided.... you also see this...that when you first crreat a security group. Could he be referring to the initial creating of the security group?

The following are the characteristics of security group rules:

You can specify allow rules, but not deny rules.

**When you first create a security group, it has no inbound rules. Therefore, no inbound traffic is allowed until you add inbound rules to the security group.

When you first create a security group, it has an outbound rule that allows all outbound traffic from the resource. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.**