Airzero Cloud

Next Generation Cloud !

A security group controls inbound and outbound traffic for your EC2 instances by acting as a virtual firewall. When you launch an EC2 instance in a VPC, you can assign the instance up to five security groups. Security groups operate at the instance level rather than the subnet level. As a result, each instance in a VPC subnet can be assigned to a different set of security groups.

If you launch an instance using the Amazon EC2 API or a command-line tool without specifying a security group, the instance is assigned to the VPC's default security group. When you launch an instance through the Amazon EC2 console, you can create a new security group for the instance.

You add rules to each security group that controls inbound traffic to instances and a separate set of rules that control outbound traffic. This section explains the fundamentals of security groups and their rules for your VPC.

Set up network ACLs with rules similar to your security groups to add an extra layer of security to your VPC. See Compare security groups and network ACLs for more information on the distinctions between the two types of ACLs.

Security group basics

Security groups have the following characteristics:

  • Allow rules can be specified, but not deny rules.
  • You can define different rules for inbound and outbound traffic.
  • You can use security group rules to filter traffic based on protocols and port numbers.
  • Security groups are stateful,which means that if you send a request from your instance, response traffic for that request is allowed to enter regardless of inbound security group rules. Regardless of outbound rules, responses to allowed inbound traffic are allowed to flow out.
  • When you create a security group for the first time, it has no inbound rules. As a result, until you add inbound rules to the security group, no inbound traffic from another host to your instance is allowed.
  • A security group includes an outbound rule by default that allows all outbound traffic. You can remove the rule and replace it with outbound rules that allow only specific outbound traffic. If your security group does not have any outbound rules, no outbound traffic from your instance is permitted.
  • There are limits to how many security groups you can create per VPC, how many rules you can add to each security group, and how many security groups you can associate with a network interface.
  • Instances in a security group cannot communicate with one another unless you add rules allowing the traffic (exception: the default security group has these rules by default).
  • Network interfaces are linked to security groups. You can change the security groups associated with an instance after it has been launched, which changes the security groups associated with the primary network interface (eth0). Any other network interface's security groups can also be specified or changed. When you create a network interface, it is automatically assigned to the VPC's default security group, unless you specify a different security group. See Elastic network interfaces for more information on network interfaces.
  • A security group can only be used within the VPC that you specify when you create it.

Your VPC's default security group

Your VPC comes with a default security group. If you do not specify a different security group when you launch the instance, we use the default security group.

You can modify the default security group's rules.

A default security group cannot be deleted. When you attempt to delete the default security group, you will receive the following error:

 Client.CannotDelete: the specified group: "sg-51530134" name: "default" cannot be deleted by a user.

We do not automatically add an outbound rule for IPv6 traffic when you associate an IPv6 block with your VPC if you have modified the outbound rules for your security group.

Security group rules

A security group's rules can be added or removed (also referred to as authorizing or revoking inbound or outbound access). A rule can be applied to either inbound or outbound traffic (egress). You can grant access to a specific CIDR range, another security group in your VPC, or another VPC in a peer VPC (requires a VPC peering connection).

A security group's rules govern the inbound traffic allowed to reach the instances associated with the security group. The rules also govern the amount of outbound traffic that is permitted to leave them.

Security group rules have the following characteristics:

  • Security groups are configured to allow all outbound traffic by default.
  • Security group rules are always permissive; rules that deny access cannot be created.
  • You can use security group rules to filter traffic based on protocols and port numbers.
  • Security groups are stateful, which means that if you send a request from your instance, the response traffic is allowed to flow in regardless of the inbound rules. This also implies that responses to permitted inbound traffic are permitted to flow out, regardless of the outbound rules.

For each rule, you specify the following:

  • Name :he security group's name. A name can have up to 255 characters. Characters allowed are a-z, A-Z, 0-9, spaces, and. -:/()#,@[]+=;!$*. When we save a name that contains trailing spaces, we trim the spaces. For instance, if you enter "Test Security Group" as the name, we will save it as "Test Security Group."
  • Protocol: The protocol to allow. The most common protocols are 6, 17, and 1.
  • Port range:The range of ports to allow for TCP, UDP, or a custom protocol. You have the option of specifying a single port number or a range of port numbers.
  • Source or destination:The origin or destination of the traffic.
  • The current security organization
  • For the same VPC, a different security group
  • In a VPC peering connection, a different security group is assigned to a peer VPC.

When you create a security group rule, AWS assigns the rule a unique ID. When you use the API or CLI to modify or delete a rule, you can use its ID.

When you specify a security group as the source or destination of a rule, the rule applies to all instances associated with that security group.

When you specify a security group as the source for a rule, traffic from network interfaces associated with the source security group is allowed for the specified protocol and port. Incoming traffic is permitted based on the private IP addresses of network interfaces linked to the source security group. If you configure routers to forward traffic between two instances in different subnets via a middlebox appliance, you must ensure that both instances' security groups allow traffic to flow between them.

Some firewall configuration systems allow you to filter on source ports. You can use security groups to filter only on destination ports.

When you add, update, or delete rules, the changes are applied to all instances associated with the security group.

The type of rules you add is frequently determined by the purpose of the security group. The table below contains example rules for a security group associated with web servers. The web servers can accept HTTP and HTTPS traffic from any IPv4 or IPv6 address and send SQL or MySQL traffic to a database server.

A different set of rules is required for a database server. Instead of inbound HTTP and HTTPS traffic, for example, you could add a rule that allows inbound MySQL or Microsoft SQL Server access.

Stale security group rules

If your VPC has a VPC peering connection to another VPC or uses a VPC shared by another account. This enables instances belonging to the referenced security group and those belonging to the referencing security group to communicate with one another.

The security group rule is marked as stale if the security group in the shared VPC is deleted or if the VPC peering connection is deleted. Stale security group rules can be deleted just like any other security group rule.

Work with security groups

Change the default security group.

A default security group is included in your VPC. This group cannot be deleted; however, the rules of the group can be changed. The procedure is the same as for any other security group modification.

Make a security group.

Although the default security group can be used for your instances, you may want to create your own groups to reflect the various roles that instances play in your system.

New security groups are created with only an outbound rule, which allows all traffic to leave the instances.

  • To start the Amazon VPC console.
  • Select Security Groups from the navigation pane.
  • There is a list of your security groups. Select the security group to view the details for that security group, including its inbound and outbound rules.
  • able any inbound traffic or to restrict outbound traffic, you must add rules.

To create using the console

  • Navigate to the Amazon VPC console.

  • Select Security Groups from the navigation pane.

  • Select Create a security group.

  • A security group's name and description cannot be changed after it has been created.

  • Select the VPC from the list.

You have the option of adding security group rules now or later. See Add rules to a security group for more information.

You have the option of adding tags now or later. Choose to add a new tag and enter the tag key and value to add a tag.

Select Create a security group.

To create it using the command line

  • create-security-group
  • New-EC2SecurityGroup

View your security groups

  • First, one is to view your security groups using the console

  • To view your security groups by command line

  • define-security-groups and define-security-group-rules (AWS CLI)

  • Get-EC2SecurityGroup and Get-EC2SecurityGroupRules commands (AWS Tools for Windows PowerShell)

  • To view all of your security groups through Regions

  • Open the Amazon EC2 Global-View console

Tag the security groups

Use tags to help organize and identify your resources, such as by purpose, owner, or environment. Tags can be added to security groups. Each security group's tag keys must be distinct. When you add a tag with a key that is already associated with a rule, the value of that tag is updated.

To tag a security group by console

  • Navigate to the Amazon VPC console.
  • Select Security Groups from the navigation pane.
  • Select Actions, then Tag Management.
  • The Manage Tags page lists all of the tags that have been assigned to the security group. To add a tag, select Add tag and fill in the tag key and value. To delete a tag, select Remove next to the tag you want to remove.
  • Select Save changes.

To tag a security group by command line

  • create-tags

  • New-EC2Tag

Add rules to the security group

When you add a rule to a security group, it is automatically applied to all instances associated with the security group. You can use security groups from the peer VPC as the source or destination in your security group rules if you have a VPC peering connection.

To add a rule using a console

  • Navigate to the Amazon VPC console.
  • Select Security Groups from the navigation pane.
  • Choose a security group.
  • Actions, Edit inbound rules or Actions, Edit outbound rules are available.

Choose Add rule for each rule and then do the following.

a.Select the type of protocol to allow under Type.

  • You must enter the port range to allow for TCP or UDP.
  • You must select the ICMP type name from Protocol and, if applicable, the code name from the Port range for custom ICMP.
  • The protocol and port range are automatically configured for any other type.

b. To allow traffic, do one of the following for the Source (inbound rules) or Destination (outbound rules):

  • Select Custom and then enter a CIDR-encoded IP address, a CIDR block, another security group, or a prefix list.
  • Select Anywhere to allow traffic from any IP address to reach your instances (inbound rules) or All IP addresses to allow traffic from your instances to reach all IP addresses (outbound rules). This option adds the 0.0.0.0/0 IPv4 CIDR block automatically.
  • If your security group is in an IPv6-enabled VPC, this option adds a rule for the::/0 IPv6 CIDR block automatically.
  • This option is acceptable for inbound rules for a short period of time in a test environment but is unsafe for production environments. Only allow a specific IP address or range of IP addresses to access your instances in production.
  • Choose Save rules.

To add a rule using the command line

  • authorization-security-group-entry and authorization-security-group-egress

  • Grant-EC2SecurityGroupEntry and Grant-EC2SecurityGroupExit

Update Rules

When you update a rule, it is automatically applied to all instances associated with the security group.

To update a rule by console

  • Navigate to the Amazon VPC console.
  • Select Security Groups from the navigation pane.
  • Choose a security group.
  • Actions, Edit inbound rules or Actions, Edit outbound rules are available.
  • As needed, revise the rule.
  • Select Save rules.

Tag Rules

Use tags to help organize and identify your resources, such as by purpose, owner, or environment. Tags can be added to security group rules. For each security group rule, tag keys must be unique. When you add a tag with a key that is already associated with a security group rule, the value of that tag is updated.

To tag a by console

  • Navigate to the Amazon VPC console.
  • Select Security Groups from the navigation pane.
  • Choose a security group.
  • Select the check box for the rule on the Inbound Rules or Outbound Rules tab, then choose to Manage tags.
  • The Manage Tags page displays any tags associated with the rule. To add a tag, select Add tag and fill in the tag key and value. To delete a tag, select Remove next to the tag you want to remove.
  • Select Save changes.

To tag a rule by command line

  • create-tags revoke-security-group-ingress and revoke-security-group-egress(AWS CLI)
  • New-EC2Tag

Delete Rules

When you remove a rule from a security group, the change is applied to all instances that are associated with the security group.

To delete a rule using a console

  • Navigate to the Amazon VPC console.
  • Select Security Groups from the navigation pane.
  • Choose a security group.
  • Select Actions, then Edit inbound rules to delete an inbound rule or Edit outbound rules to delete an outbound rule.
  • Select the Delete button next to the rule you want to remove.
  • Select Save rules.

To delete a rule by a command line - revocation-of-security-group-entry and revocation-of-security-group-egress (AWS CLI) - Revoke-EC2SecurityGroupEntry and Revoke-EC2SecurityGroupExit (AWS Tools for Windows PowerShell)

Change the security groups

When an instance is running or stopped after being launched into a VPC, you can change the security groups that are associated with it.

Delete the security group

A security group can only be deleted if it is not associated with any instances (either running or stopped). You can change the security groups associated with a running or stopped instance, and you can delete multiple security groups at once if you're using the console. When using the command line or the API, you can only delete one security group at a time.

To delete it using the console

  • Navigate to the Amazon VPC console.
  • Select Security Groups from the navigation pane.
  • Choose Actions, Delete security groups after selecting one or more security groups.
  • When prompted for confirmation, type delete and then press the Delete key.

To delete it using the command line

  • security-group-deletion (AWS CLI)

  • Delete EC2SecurityGroup (AWS Tools for Windows PowerShell)

AWS Firewall Manager can be used to centrally manage VPC security groups.

AWS Firewall Manager streamlines the administration and maintenance of your VPC security groups across multiple accounts and resources. With Firewall Manager, you can configure and audit your organization's security groups from a single central administrator account. Firewall Manager applies the rules and protections to all of your accounts and resources automatically, even as you add new ones. Firewall Manager is especially useful if you want to protect your entire organization or if you frequently add new resources that need to be protected from a central administrator account.

  • Configure your organization's common baseline security groups as follows: A common security group policy can be used to provide centralized control over the association of security groups to accounts and resources across your organization. You specify where and how the policy will be implemented in your organization.
  • Audit existing security groups in your organization: An audit security group policy can be used to check the existing rules in your organization's security groups. The policy can be configured to audit all accounts, specific accounts, or resources tagged within your organization. Firewall Manager automatically detects and audits new accounts and resources. You can create audit rules to specify which security group rules to allow or disallow within your organization, as well as to look for unused or redundant security groups.
  • Obtain reports on non-compliant resources and correct them: For your baseline and audit policies, you can receive reports and alerts for non-compliant resources. You can also configure auto-remediation workflows to remediate any non-compliant resources detected by the Firewall Manager.

If you have any doubt about the above topic. Don’t hesitate to contact us. Airzero Cloud will be your digital partner.

Email id: [email protected]