Monash University · S1 2026 · FACULTY OF INFORMATION TECHNOLOGY

FIT5225 · Cloud Computing And Security

- one subject, every graph, every model, every mark
50% final exam · hurdle14 Chapters8-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2026 · updated this semester
Chapter 7 of 7 · FIT5225

Cloud Security

Security is the thread that runs through every other chapter, pulled together here into the capstone. It opens with the foundations — the CIA triad (Confidentiality, Integrity, Availability) and the four A's (Authentication, Authorization, Accounting/Audit, and the perennially-confused authentication vs authorization pair) — then maps them onto AWS. The network half is the VPC and its two firewalls: stateful, instance-level Security Groups (SG) versus stateless, subnet-level Network ACLs (NACL), where rule order and the allow/deny model are the classic gotchas, plus NAT gateways and the fact that VPC peering is not transitive. The identity half is Cognito (User Pools vs Identity Pools), IAM least-privilege, and encryption in transit and at rest. Over it all sits defense-in-depth — layered controls — and the reminder from chapter one that 'the cloud is secure' is only half the truth: most breaches are customer-side misconfiguration. Quizzes over-test these tables.

In this chapter

What this chapter covers

  • 01Foundations: the CIA triad & the four A's (authN vs authZ)
  • 02The shared-responsibility line, revisited for security
  • 03VPC networking: Security Groups vs Network ACLs (stateful vs stateless)
  • 04Rule order, NAT gateways, and why peering is not transitive
  • 05Identity: Cognito User Pools vs Identity Pools, IAM least-privilege
  • 06Encryption (in transit / at rest) & defense-in-depth
Worked example · free

Worked example: Security Group vs Network ACL — pick the firewall

Q [5 marks]. You must allow inbound HTTPS (port 443) to a group of web-server EC2 instances, and you also want to block one specific malicious IP address from an entire subnet. (a) Which control — a Security Group or a Network ACL — naturally allows the inbound 443 to the instances, and what makes its return traffic 'just work'? (b) Which control should do the subnet-wide IP block, and why? (c) Name the rule-evaluation gotcha for the NACL.
  • +2(a) The Security Group allows inbound 443 at the instance level; it is stateful, so the response to an allowed inbound request is automatically allowed out — you don't write a matching outbound rule.
  • +2(b) The Network ACL does the subnet-wide block: it operates at the subnet level and supports explicit deny rules (Security Groups are allow-only), so it can drop one IP for everything in the subnet.
  • +1(c) The NACL gotcha is rule order: rules are evaluated by number, lowest first, and the first match wins — so the deny for the bad IP must have a lower rule number than any broader allow, or the allow fires first.
  • +0Note — NACL is stateless: unlike the SG, a NACL needs an explicit return-traffic rule because it does not track connections.
Use a stateful Security Group at the instance level to allow inbound 443 (its return traffic is automatic); use a Network ACL at the subnet level to deny the malicious IP (only NACLs support deny); and remember the NACL evaluates rules in number order with first-match-wins, so the deny must sit below the allow.
Glossary

Key terms

CIA triad
The three goals of information security: Confidentiality (only authorised parties can read the data), Integrity (the data is not tampered with) and Availability (authorised users can access it when needed). Every security control maps to protecting one or more of these; encryption serves confidentiality, hashing/signing serves integrity, redundancy serves availability.
Authentication vs authorization
Authentication proves who you are (verifying identity — a password, a token); authorization decides what you are allowed to do (your permissions). AuthN comes first, then authZ. They are constantly mixed up and the quiz exploits it: a login is authentication, a permission check is authorization.
Security Group vs Network ACL
AWS's two VPC firewalls. A Security Group is stateful and instance-level, allow-rules only, with automatic return traffic. A Network ACL is stateless and subnet-level, supports both allow and deny, evaluates rules in number order (first match wins) and needs explicit return-traffic rules. SG = the instance's firewall; NACL = the subnet's firewall.
Cognito User Pool vs Identity Pool
Two AWS Cognito services that are easy to confuse. A User Pool is a user directory that handles sign-up and sign-in (authentication) and issues tokens. An Identity Pool (federated identities) exchanges those tokens for temporary AWS credentials so the user can access AWS resources (authorization to AWS). User Pool = who you are; Identity Pool = what AWS access you get.
Defense-in-depth
Layering multiple, independent security controls so that no single failure exposes the system — network segmentation (VPC, subnets), firewalls (SG, NACL), identity (IAM least-privilege), encryption in transit and at rest, and monitoring. The idea is that an attacker must defeat every layer, not just one.
FAQ

Cloud Security FAQ

What is the difference between a Security Group and a Network ACL?

A Security Group is a stateful, instance-level firewall with allow-rules only — its return traffic is automatic. A Network ACL is a stateless, subnet-level firewall that supports explicit deny as well as allow, evaluates rules in number order with first-match-wins, and needs an explicit rule for return traffic. Use the SG for instance access and the NACL for subnet-wide allow/deny; this is one of the most over-tested tables in the unit.

Authentication vs authorization — how do I never mix them up?

Authentication is 'who are you?' — proving identity (logging in, presenting a token). Authorization is 'what may you do?' — checking permissions once your identity is known. AuthN always precedes authZ. Map any scenario to the question it answers: verifying a password is authentication; deciding whether that verified user can delete a bucket is authorization.

Why isn't VPC peering transitive?

Because each peering connection is a direct, point-to-point link between two VPCs and AWS deliberately does not route traffic through an intermediate VPC. If A peers with B and B peers with C, A still cannot reach C — you would need a direct A-to-C peering (or a transit gateway). It is a frequent trap because people assume peering chains like normal routing.

If the provider secures the cloud, what's left for me to secure?

Your half of the shared-responsibility line: your data, your identity and access management (IAM least-privilege), your OS/network/firewall configuration (Security Groups, NACLs), your application code, and your encryption. Most real cloud breaches are customer-side misconfiguration — an open S3 bucket, an over-broad IAM policy — so 'the cloud is secure' never means 'my system is secure'.

Study strategy

Exam move

Treat this chapter as a set of tables to over-learn, because that is exactly how it is tested. Lock down the two perennial confusions first — authentication vs authorization, and Security Group (stateful, instance, allow-only) vs Network ACL (stateless, subnet, allow+deny, ordered, first-match-wins) — and be ready to pick the right control for a described scenario. Know the NACL rule-order gotcha and that VPC peering is not transitive. For identity, separate Cognito User Pools (sign-in / who you are) from Identity Pools (temporary AWS credentials / what you can access). Tie everything back to the CIA triad and the shared-responsibility line, and remember the strategic refrain from chapter one: secure technology is not a secure system, and most breaches are customer-side misconfiguration.

A+Everything unlocked
Unlocks this Bible + all 23 of your Monash University subjects - and 1,000+ Bibles across every Australian university.
Sia - your FIT5225 tutor, unlimited, worked the way the exam marks it
The full 8-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full FIT5225 Bible + 23 Monash University subjects解锁完整 FIT5225 Bible + Monash University 23 门科目
$25/mo