top of page

AWS Security Groups                      

An AWS virtual network interface is located within each instance, and Amazon installs a software firewall on every instance. The firewall is there to manage traffic to and from the instance. Security groups control network traffic associated with every instance, and you must understand that only traffic associated with a specific instance is directed to that instance. The mechanisms you use to define the security rules that control this traffic involves security groups

 

Security groups are asymmetric, in that they apply to inbound traffic (traffic being sent to the instance). At this time, no controls are placed on traffic sent from the instance. (Note that this is not true with VPC 

 

Security group rules control the following elements of network traffic access:

✓ Traffic protocol: Security groups support and apply to three types of network traffic:

• Transmission Control Protocol (TCP)

• User Datagram Program (UDP): This network protocol, less sophisticated than TCP, is hardly used, so you can safely ignore it.           • Internet Control Message Protocol (ICMP): This protocol is used to support certain diagnostic network commands and for applications to send error messages. (My guess is that you probably won’tuse this protocol much, either.)

✓ Traffic source: The idea is to control those sources from which a security group accepts traffic. The security group can be set to allow traffic from everyone, from only a specific IP address, from a range of IP addresses, or from other members of the security group.

✓ Traffic port: TCP traffic moves between ports, which can be thought of as individual network connections within overall network connectivity. Ports are typically associated with specific applications, and all traffic to a specific port is directed toward that application. For example, Port 80 is used to support web traffic (or, more precisely, HTTP traffic).Everyone tries to confine a port’s traffic to a single application; otherwise, you run into problems when two applications try to read network traffic on a single port — where should the packet be sent?             

 

Security group traffic sources are extremely important and are certain to occupy your attention when you design an application. When you understand how traffic sources and security groups work, you can make your application much more secure.The traffic protocol limitations discussed here apply to EC2 security groups.In AWS’s Virtual Private Cloud (VPC), any protocol can be used.                                                                           

Security groups          

Every account has one predefined security group: default. Default starts out with no traffic being allowed to access the instance, so whenever you launch an instance with the initial default security group controlling what network traffic is accepted, no traffic can reach the instance. You can also create additional security groups and place rules within the new security groups. An AWS account can have up to 500 security groups and 100 rules per security group.

 

Security group rules

To allow traffic into an instance, open one or more ports by creating a security group rule for the default security group. For example, you can create a rule to allow HTTP traffic to enter the instance.                                  

 

The figure shows that I’ve selected the CFWordpress-WebServer security group and clicked the Inbound tab, which brings up a dialog box listing a number of common TCP protocols (including DNS, HTTP, and POP3, a populare-mail protocol) that allow me to make rules for data access. You canselect a predefined protocol or create a custom rule based on either TCP, UDP, or ICMP.

 

If you create a rule for a predefined TCP protocols, the Port Range field is filled in with the port associated with that protocol. (Figure 7-3 gives you abetter view of the Port Range field.) In the Source field, you can define the IP address or addresses from which to accept traffic.

 

After you’re satisfied with the rule, click the Add Rule button to add the new rule to which ever security group you’re targeting. You can then use this security group as part of an instance launch definition, and traffic that fits with this rule is accepted into the instance.                                                               

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You can add or remove rules from a security group at any time, and any instances running with the security group will have the rule changed almost immediately. You can then add a new rule, and the instance can accept new traffic quickly. You cannot, however, add an entire security group to, or remove it from, a running instance

© 2023 by Name of Site. Proudly created with Wix.com

  • Facebook App Icon
  • Twitter App Icon
  • Google+ App Icon
bottom of page