A Network Access Control List (NACL) can have up to 20 rules per direction (inbound and outbound) by default, but this limit can be increased to a maximum of 40 rules per direction if needed.
Differences Between AWS Security Group, NACL, and IAM
Key takeaways:
Security groups, NACLs, and IAM are key AWS security features.
Security groups offer stateful instance-level traffic control with only allow rules.
NACLs provide stateless subnet-level control with both allow and deny rules.
IAM manages access permissions and policies for AWS services via JSON documents.
Security groups evaluate rules collectively; NACLs use the lowest rule number for evaluation.
NACLs and security groups manage traffic, while IAM defines user access to resources.
Security groups, Network Access List (NACL), and Identity and Access Management (IAM) are important security features in the AWS cloud. Security groups provide instance-level traffic control, NACL a subnet-level traffic control, and IAM defines policies for permitting or denying access to AWS services.
Security group
A security group acts as a traffic filter, similar to a firewall, for instances in the cloud. It is used for instance-level traffic control and must be explicitly assigned to each instance. You can only define allow rules for both inbound and outbound traffic, not deny rules. Security groups are stateful, meaning that any outbound traffic corresponding to incoming traffic is automatically allowed without the need for you to define an outbound rule. The same applies to incoming traffic. A Virtual Private Cloud (VPC) comes with a default security group, but you can create additional security groups as needed. Any rule that is not explicitly allowed is denied by default.
The tables below provide examples of inbound and outbound traffic rules. Each table includes the rule name, protocol, port range, source/destination (depending on traffic direction), and a description.
Inbound security group rule
Name | Protocol | Port Range | Source | Description |
security-group1 | All | All | 0.0.0.0/0 | All protocols have been allowed |
Outbound security group rule
Name | Protocol | Port Range | Destination | Description |
security-group1 | HTTPS | 443 | 192.168.1.0/24 | HTTPS security group rule |
The diagram below shows a cloud containing a public subnet with an Elastic Compute Cloud (EC2). This is accessible to users over the internet via the internet gateway. The EC2 instance is part of a security group to set inbound and outbound traffic rules.
Architecture diagram for security group
NACL
Network access control lists (NACLs) provide similar functionality to security groups but operate at the subnet level. With NACLs, you can specify both allow and deny rules. Additionally, NACLs are stateless, meaning that for any allowed inbound rule, outbound traffic is permitted only if a corresponding rule exists. The rules are evaluated based on their numerical order, with the lowest number having the highest priority.
The following table shows examples of inbound and outbound rules. An entry with the rule number * is always given. This rule makes sure that any packet that does not match any rule is denied by default.
Inbound NACL rule
Rule Number | Type | Protocol | Port Range | Source | Allow/Deny |
100 | All IPv4 traffic | HTTPS | 443 | 192.168.1.0/24 | ALLOW |
* | All IPv4 traffic | All | All | 0.0.0.0/0 | DENY |
Outbound NACL rule
Rule Number | Type | Protocol | Port Range | Destination | Allow/Deny |
100 | All IPv4 traffic | HTTPS | 443 | 192.168.1.0/24 | ALLOW |
* | All IPv4 traffic | All | All | 0.0.0.0/0 | DENY |
The following architecture diagram shows that a NACL has been applied to the public subnet.
Architecture diagram for NACL
Identity and access management (IAM)
Identity and Access Management (IAM) specifies who/what can access the AWS services/resources. IAM policies can be created to grant or deny users/user groups permanent or role-based access to AWS services. A policy is a JSON document specifying what permissions are granted or denied and for which users.
An example of a policy to provide read-only access for a S3 bucket would be as follows.
Policy that grants read permissions of S3 bucket.
The following architecture diagram shows how various AWS account holders access AWS services based on IAM policies.
Architecture diagram for IAM
Differences between the three
The table below summarizes the key differences between the three.
Security group, NACL, and IAM differences
Security Group | NACL | IAM |
Instance-level | Subnet-level | Service-wide |
Rules are evaluated together | Rules are evaluated starting from the smallest rule number | It is policy-based |
Stateful | Stateless | Neither |
Only allow rules | Both allow and deny rules | Has permissions and policies |
Conclusion
In conclusion, NACL and security groups act as firewalls and manage traffic to and from resources at different levels. On the other hand, IAM defines policies for managing access to different AWS resources and services by account holders.
Frequently asked questions
Haven’t found what you were looking for? Contact Us
How many rules can a NACL have?
What is the difference between route table and NACL?
What is the difference between a subnet and a security group?
Free AI Mock Interviews
Coding Interview
Coding PatternsFree Interview
Gain insights and practical experience with coding patterns through targeted MCQs and coding problems, designed to match and challenge your expertise level.
System Design
YouTubeFree Interview
Learn to design a video streaming platform like YouTube by tackling functional and non-functional requirements, core components, and high-level to detailed design challenges.
Free Resources
Copyright ©2025 Educative, Inc. All rights reserved