Here, you can create key-value pairs that can be associated with your security group. So, through the use of both NACLs and security groups, you can create layered security. For example, imagine you had an inbound NACL that looked as follows associated with a subnet:
Within that same subnet, you had an EC2 instance associated with the following security group:
Now if a host was trying to SSH to your EC2 instance, from a security standpoint it would have no problem traversing your NACL as SSH is a TCP protocol and you are allowing all TCP connections through to the subnet. However, it would not reach the instance as the security group for that instance would drop SSH as it's not listed as an allowed protocol.
Similarly, if an engineer was trying to RDP to the EC2 instance, then again access would be allowed through the NACL. If that engineer's IP address did not match 86.171.161.10/32, then again RDP would be dropped as the source is not a match in the...