From what I read, stateless firewalls are used more for packet filtering. Why is AWS NACL stateless?
NACLs force too big a range of ports to be opened for the ephemeral ports.
Is there a way to create stateful firewalls on AWS other than Security Groups? Security Groups feel too granular and may get omitted by mistake.
Network Access Control Lists (ACLs) mimic traditional firewalls implemented on hardware routers. Such routers are used to separate subnets and allow the creation of separate zones, such as a DMZ. They purely filter based upon the content of the packet. That is their job.
Security Groups are an added capability in AWS that provides firewall-like capabilities at the resource level. (To be accurate, they are attached to Elastic Network Interfaces, ENIs). They are stateful, meaning that they allow return traffic to flow.
In general, the recommendation is to leave NACLs at their default settings (allow all traffic IN & OUT). They should only be changed if there is a specific need to block certain types of traffic at the subnet level.
Security Groups are the ideal way to control stateful traffic going in and out of a VPC-attached resource. They are THE way to create stateful firewalls. There is no other such capability provided by a VPC. If you wanted something different, you could route traffic through an Amazon EC2 instance acting as a NAT and then you would have full control over how it behaves.