2023.08.10 /

When to use AWS ACLs and Security Groups


When using AWS, ensuring network security is of utmost importance. In the cloud environment, to achieve proper access control, distinguishing between AWS ACL and security groups is essential. In this article, we will delve deeply into the differences between these two crucial network security tools and explore their appropriate use cases.

Service Overview

AWS ACL (Access Control List) is one of Amazon Web Services‘ features designed to enhance network security. ACL is used to control inbound and outbound traffic for subnets within a VPC (Virtual Private Cloud). Through ACL, you can allow or deny communication to specific IP addresses or IP ranges, providing the flexibility to configure network security policies.

Security groups are a collection of firewall rules used to regulate network traffic within Amazon Web Services‘ virtual networking environment. Security groups manage inbound (incoming) and outbound (outgoing) traffic to AWS resources, serving as a means to strengthen security.

Key Features

AWS ACL is applied to subnets within a VPC and controls traffic to resources within those subnets. Applying the same ACL to multiple subnets is also possible. AWS ACL provides control over both inbound and outbound traffic. You can allow or deny access to specific IP addresses or protocols. ACL rules are evaluated in numerical order. The first rule that matches is applied, making it essential to consider rule order. If explicit rules are absent, ACL denies traffic by default. Thus, setting rules that permit only necessary traffic is necessary.

Unlike AWS ACL, security groups are applied individually to resources like EC2 instances, controlling traffic on a per-instance basis. Security groups allow specific traffic by setting permission rules. They can control access to specific ports or protocols. In the absence of explicit configurations, security groups deny all traffic by default. Therefore, establishing rules that permit required communication is crucial. Security groups provide stateful control, where permitted inbound traffic automatically allows corresponding outbound traffic.


AWS ACL and security groups are tools for enhancing network security through different approaches. ACL controls traffic on a subnet level, suitable for detailed traffic control. Conversely, security groups control traffic on an instance level, offering security tailored to individual resources. Understanding the selection and usage of the appropriate tool enables the security of your AWS environment.

test tel test tel