How does Security Groups differ from Network ACLs in AWS?

Security Groups (SGs) and Network Access Control Lists (NACLs) are both network security mechanisms in Amazon Web Services (AWS), but they serve different purposes and operate at different levels within the network stack. Here's how they differ:

Security Groups (SGs):

1. Operate at the Instance Level: SGs are stateful and operate at the instance level. This means that you assign SGs to individual EC2 instances, and the rules in an SG apply to inbound and outbound traffic for that specific instance.

2. Default Deny, Allow Rules: By default, an SG denies all inbound traffic and allows all outbound traffic. You add rules to explicitly permit inbound traffic. When creating rules, you define the allowed source IP addresses and port ranges.

3. Permissive by Default: When you create a new SG, it has no inbound rules, which effectively denies all incoming traffic. You must add inbound rules to specify what is allowed.

4. Rule Evaluation: SG rules are evaluated in a "first match wins" fashion. If traffic matches a rule, it is allowed. If no rules match, the default "deny all" rule applies.

5. Stateful: SGs are stateful, meaning if you allow traffic from an IP address, the return traffic from the allowed IP is automatically allowed. You don't need to create a separate outbound rule to allow responses.

6. Fewer Rules: SGs are simpler to set up because you only define rules for allowed traffic. In most cases, you need fewer rules compared to NACLs.

Network Access Control Lists (NACLs):

1. Operate at the Subnet Level: NACLs are stateless and operate at the subnet level. When you create a NACL, it applies to all instances in the associated subnet.

2. Default Allow, Deny Rules: By default, NACLs allow all inbound and outbound traffic. You add rules to explicitly deny or allow traffic. NACLs have separate inbound and outbound rules.

3. Permissive by Default: When you create a new NACL, it has no rules, which means all traffic is allowed. You must add rules to restrict traffic.

4. Rule Evaluation: NACL rules are evaluated in a top-down order, with rules applied in the order they appear in the rule list. The first rule that matches the traffic determines whether it is allowed or denied.

5. Stateless: NACLs are stateless, meaning that if you allow inbound traffic from a specific source, it does not automatically allow the return traffic. You must define separate outbound rules.

6. More Rules: NACLs typically require more rules to allow traffic, especially for stateful protocols like TCP, where you need both inbound and outbound rules to permit a connection.

In summary, SGs and NACLs are complementary security mechanisms in AWS, and you can use both in combination to enhance your network security. SGs provide instance-level security with default deny rules, while NACLs offer subnet-level security with default allow rules. The choice of which to use depends on your specific security requirements and the level of control and granularity you need for your AWS resources.