Bird
Raised Fist0
AWScloud~5 mins

Stateful behavior of security groups in AWS - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What does it mean that AWS security groups are stateful?
It means that if you allow incoming traffic on a port, the response traffic is automatically allowed back out, without needing a separate rule.
Click to reveal answer
beginner
How does stateful behavior simplify managing network rules?
You only need to create rules for incoming or outgoing traffic, not both, because the return traffic is automatically allowed.
Click to reveal answer
beginner
If you allow inbound HTTP traffic on port 80, what happens to the outbound response traffic?
The outbound response traffic is automatically allowed by the security group because of its stateful nature.
Click to reveal answer
intermediate
What is the difference between stateful and stateless firewalls in terms of traffic rules?
Stateful firewalls remember connections and allow return traffic automatically; stateless firewalls require explicit rules for both directions.
Click to reveal answer
intermediate
Can you block outbound traffic in a security group if inbound traffic is allowed?
Yes, you can block outbound traffic by not allowing it explicitly, even if inbound traffic is allowed, but response traffic to inbound requests is still allowed automatically.
Click to reveal answer
What happens to response traffic in AWS security groups when inbound traffic is allowed?
AResponse traffic is blocked by default.
BYou must create a separate outbound rule.
CResponse traffic is automatically allowed back out.
DResponse traffic requires a NAT gateway.
Which of the following best describes a stateful firewall?
AIt only filters traffic based on IP addresses.
BIt blocks all traffic unless explicitly allowed.
CIt requires separate rules for inbound and outbound traffic.
DIt tracks connections and allows return traffic automatically.
If you want to allow outbound traffic but block inbound traffic, what should you do in a security group?
AAllow outbound rules and do not allow inbound rules.
BAllow inbound rules and block outbound rules.
CAllow both inbound and outbound rules.
DBlock both inbound and outbound rules.
Why do you not need to create outbound rules for response traffic in security groups?
ABecause security groups are stateful and allow response traffic automatically.
BBecause outbound traffic is always allowed by default.
CBecause AWS blocks outbound traffic automatically.
DBecause response traffic uses a different port.
Which statement is true about security groups in AWS?
AThey only control outbound traffic.
BThey are stateful and track connection states.
CThey are stateless and require rules for both directions.
DThey require manual approval for response traffic.
Explain in your own words what it means that AWS security groups are stateful.
Think about how a conversation works and how replies are handled.
You got /3 concepts.
    Describe how stateful behavior affects the way you write inbound and outbound rules in security groups.
    Consider if you need to write rules for both directions or just one.
    You got /3 concepts.

      Practice

      (1/5)
      1. What does it mean when we say AWS security groups are stateful?
      easy
      A. Return traffic is automatically allowed, even if no outbound rule exists
      B. You must create separate rules for inbound and outbound traffic
      C. Security groups remember user login sessions
      D. They block all traffic by default without exceptions

      Solution

      1. Step 1: Understand stateful behavior in security groups

        Stateful means the security group tracks connections and allows return traffic automatically.

      2. Step 2: Apply this to inbound and outbound rules

        If inbound traffic is allowed, the response outbound traffic is automatically allowed without explicit outbound rules.

      3. Final Answer:

        Return traffic is automatically allowed, even if no outbound rule exists -> Option A

      4. Quick Check:

        Stateful = automatic return traffic allowed [OK]
      Hint: Remember: inbound allows return outbound automatically [OK]
      Common Mistakes:
      • Thinking outbound rules must explicitly allow return traffic
      • Confusing stateful with session management
      • Assuming security groups block all traffic by default
      2. Which of the following is the correct way to allow inbound HTTP traffic on port 80 in a security group?
      easy
      A. Inbound: TCP port 22 from 0.0.0.0/0
      B. Outbound: TCP port 80 from 0.0.0.0/0
      C. Inbound: UDP port 80 from 0.0.0.0/0
      D. Inbound: TCP port 80 from 0.0.0.0/0

      Solution

      1. Step 1: Identify the correct protocol and port for HTTP

        HTTP uses TCP protocol on port 80.

      2. Step 2: Confirm the direction and source

        Inbound rules control incoming traffic; source 0.0.0.0/0 means from anywhere.

      3. Final Answer:

        Inbound: TCP port 80 from 0.0.0.0/0 -> Option D

      4. Quick Check:

        HTTP inbound = TCP 80 inbound [OK]
      Hint: Inbound TCP 80 for HTTP, outbound not needed [OK]
      Common Mistakes:
      • Using UDP instead of TCP for HTTP
      • Setting outbound instead of inbound rule
      • Using port 22 which is for SSH
      3. If a security group allows inbound SSH (port 22) from a specific IP, what happens when the instance responds to that SSH request?
      medium
      A. The response is blocked unless an outbound rule allows port 22
      B. The response is automatically allowed due to stateful behavior
      C. The response is allowed only if a separate inbound rule exists
      D. The response is blocked by default and requires a NAT gateway

      Solution

      1. Step 1: Recall stateful nature of security groups

        Security groups track connections and allow return traffic automatically.

      2. Step 2: Apply to SSH inbound and response outbound

        Inbound SSH allowed means response outbound traffic is automatically allowed without extra rules.

      3. Final Answer:

        The response is automatically allowed due to stateful behavior -> Option B

      4. Quick Check:

        Inbound SSH allows automatic response outbound [OK]
      Hint: Inbound allows return traffic automatically [OK]
      Common Mistakes:
      • Thinking outbound rules must explicitly allow return traffic
      • Confusing inbound and outbound directions
      • Assuming NAT gateway is needed for return traffic
      4. You created a security group with only an outbound rule allowing all traffic, but no inbound rules. You cannot connect to your instance via SSH. What is the likely problem?
      medium
      A. Inbound SSH traffic is blocked because no inbound rule allows port 22
      B. Outbound rules block SSH response traffic
      C. Security groups require both inbound and outbound rules for SSH
      D. The instance must have a public IP to allow SSH

      Solution

      1. Step 1: Analyze the security group rules

        Only outbound rules exist; no inbound rules allow SSH (port 22).

      2. Step 2: Understand inbound rules control incoming connections

        Without inbound port 22 allowed, SSH connection attempts are blocked.

      3. Final Answer:

        Inbound SSH traffic is blocked because no inbound rule allows port 22 -> Option A

      4. Quick Check:

        No inbound port 22 = no SSH access [OK]
      Hint: Inbound rules must allow SSH for connection [OK]
      Common Mistakes:
      • Assuming outbound rules control incoming SSH
      • Thinking both inbound and outbound rules are mandatory for SSH
      • Ignoring instance public IP requirement
      5. You want to allow inbound HTTP traffic from anywhere and ensure your instance can respond properly. Which security group configuration achieves this with minimal rules?
      hard
      A. Allow inbound TCP port 80 and outbound TCP port 80 from 0.0.0.0/0
      B. Allow inbound TCP port 80 from 0.0.0.0/0 and outbound all traffic
      C. Allow inbound TCP port 80 from 0.0.0.0/0 only
      D. Allow inbound all traffic and outbound all traffic

      Solution

      1. Step 1: Recall stateful behavior of security groups

        Inbound rules allow return outbound traffic automatically without explicit outbound rules.

      2. Step 2: Apply minimal rule principle

        Allowing inbound TCP port 80 from anywhere is enough; no outbound rule needed for response.

      3. Final Answer:

        Allow inbound TCP port 80 from 0.0.0.0/0 only -> Option C

      4. Quick Check:

        Inbound HTTP alone allows response outbound [OK]
      Hint: Only inbound HTTP needed; outbound auto allowed [OK]
      Common Mistakes:
      • Adding unnecessary outbound rules for return traffic
      • Allowing all inbound traffic instead of just HTTP
      • Confusing outbound rules as mandatory for responses