NACLs vs Security Groups

Security group	Network ACL
At the instance level.	At the subnet level
Only allow rules.	Allow rules and deny rules.
Stateful - Return traffic is automatically allowed, regardless of any rules.	Stateless - Return traffic must be explicitly allowed by rules.
AWS evaluate all rules before deciding whether to allow traffic.	AWS process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on	Automatically applies to all instances in the subnets that it's associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive)