This article discusses security groups in AWS, how they function, and the best practices one should follow while creating security groups.

large_Colorful Brushstrokes Artists and Illustrators Collection YouTube Intro (24).png

medium_Colorful Brushstrokes Artists and Illustrators Collection YouTube Intro (24).png

small_Colorful Brushstrokes Artists and Illustrators Collection YouTube Intro (24).png

thumbnail_Colorful Brushstrokes Artists and Illustrators Collection YouTube Intro (24).png

What is a Security Group in AWS?

AWS security groups refer to the virtual firewall that manages traffic in EC2 instances. Using effective filters, a security group manages both inbound and outbound traffic in an EC2 instance.&nbsp;AWS is the go-to platform for businesses that require different cloud solutions for optimizing their workflow, be it for storage, databases, or virtual private cloud servers. One of the main features of AWS is its enhanced security - this is especially true as AWS offers specialized solutions that can filter traffic as per project needs.<h2 style="text-align:justify;">Introduction</h2>Since <a href="https://devopsden.io/article/what-is-aws-and-how-it-works">AWS</a> focuses immensely on the security of its cloud solutions and services, the platform offers security groups (SGs) for its EC2 instances. EC2 instances are virtual servers offering infrastructure that lets businesses run applications on the AWS ecosystem. Security groups are virtual firewalls for the <a href="https://devopsden.io/article/what-is-an-ec2-Instance-in-aws">EC2 instances</a> you create in your AWS account. SGs evaluate both inbound and outbound traffic.Security groups have a crucial role in the AWS ecosystem of solutions. When you create a security group, you can configure it with the kind of filters that you want for the particular instance. The filtering parameters based on which SGs manage traffic include IP protocol, port number, IP address, and CIDR block.By default, AWS offers a security group for every EC2 instance you create. However, it is better to customize and configure security groups as per the needs of every EC2 instance. This ensures effective filtering of traffic.<h3 style="text-align:justify;">Security Group vs NACL</h3>AWS has another security feature known as the Network Access Control Lists (NACLs). NACLs operate at the level of subnets - these lists operate traffic in and out of virtual private clouds. While NACLs and security groups sound similar, there are many distinctions differentiating them.<ul><li>Association&nbsp;- Security groups work with EC2 instances. NACLs are more focused on subnets.</li><li>Statefulness&nbsp;- In an AWS ecosystem, statefulness refers to the ability of a security group to automatically track and allow return traffic for certain connections. Security groups are stateful, meaning that if the IP is permitted, then it is authorized. On the other hand, NACLs are stateless.</li><li>Rule Accommodations - Security groups in AWS comply only with the “Allow” rule. NACLs comply with both “Allow” and “Deny” rules.</li></ul>These are some of the crucial differences between these two features. Understanding the features helps you to build better infrastructures in AWS that fit your security needs.<h2 style="text-align:justify;">How do Security Groups Work?</h2>For every EC2 instance you create, there will be a default security group created by AWS. To get the best out of SGs, you have to configure the rules so that you can filter traffic as per business needs. Each rule that is created in AWS contains four components - type, protocol, port range, and source.The&nbsp;type refers to the type of protocol that is included in the filter. AWS offers you a dropdown of common protocols, including HTTPS and SSH. As for the&nbsp;protocols, it is by default, set to be TCP. You can change it to UDP, ICMP, and others also in different associations, such as&nbsp; IPv4 or IPv6.Port range&nbsp;is also picked by default, but as per your security and EC2 instance needs and protocol, you can alter the range for better results. As for the&nbsp;source, which is the IP, you can either set a custom IP or a subnet range. While it might seem tempting to give anywhere IP access, this can turn out to be a severe security concern.<h2 style="text-align:justify;">How to Create a Security Group in AWS?</h2>While AWS creates a default security group with the creation of every EC2 instance, it is better to create your custom SGs to enhance security. Here are the detailed steps on how to create security groups with filters.Step 1:&nbsp;Once you log on to your AWS console, go to the EC2 dashboard. Now select the ‘Security Groups’ option from the panel.<img src="https://devopsimages.in/uploads/Step_1_SG_ca7d51e1a2.png" alt=" log on to your AWS console, go to the EC2 dashboard"><img src="https://devopsimages.in/uploads/Step_2_SG_0db280eeb8.png" alt="click on instance link">Step 2: Select the ‘Create Security Group’ option from the menu. Now, enter the name of the group and provide its description.<img src="https://devopsimages.in/uploads/Step_3_SG_4f611b6c8a.png" alt="click on security group link"><figure class="image"><img style="aspect-ratio:1186/775;" src="https://devopsimages.in/uploads/Step_4_SG_ed54a83d36.png" alt="click on security group button" width="1186" height="775"></figure>This is a crucial step in the process, as the description also involves some filters of the group. Select your VPC (virtual private cloud) where the security group is created, and specify the inbound and outbound rules.Step 3: Once you have given your choice for the VPC, you can define inbound rules by clicking on ‘New Rule’. These rules can be based on port, support, IP, etc.&nbsp;<figure class="image"><img style="aspect-ratio:1833/862;" src="https://devopsimages.in/uploads/Step_5_SG_8feae51ec2.png" alt="fill details " width="1833" height="862"></figure>Step 4: Similarly, you can create new outbound rules as well. This manages the traffic that leaves your AWS resources. Step 5: Double-check the rules you have defined. Once everything is set, click ‘Create Security Group’ to get started.&nbsp;<figure class="image"><img style="aspect-ratio:1833/373;" src="https://devopsimages.in/uploads/Step_6_SG_7875026e61.png" alt="double check all details and click on Create Security Group Button" width="1833" height="373"></figure><h2 style="text-align:justify;">The Rules Found in AWS Security Groups</h2><figure class="table"><table><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr><td>Rule Type</td><td>Specifies if the rule is inbound or outbound.</td></tr><tr><td>Protocol</td><td>The protocol to which the rule applies (e.g., TCP, UDP, ICMP).</td></tr><tr><td>Port Range</td><td>The port or port range to which the rule applies (e.g., 80, 443, 1024-65535).</td></tr><tr><td>Source/Destination</td><td>The source (for inbound rules) or destination (for outbound rules) IP address range (e.g., 0.0.0.0/0).</td></tr><tr><td>Description</td><td>A description of the rule.</td></tr><tr><td>Security Group ID</td><td>The ID of the security group to which the rule is associated.</td></tr><tr><td>CIDR Block</td><td>The CIDR block from which traffic is allowed (for inbound) or to which traffic is allowed (for outbound).</td></tr><tr><td>IPv6 CIDR Block</td><td>The IPv6 CIDR block from which traffic is allowed (for inbound) or to which traffic is allowed (for outbound).</td></tr><tr><td>Security Group Name</td><td>The name of the security group.</td></tr></tbody></table></figure><h3 style="text-align:justify;">Example&nbsp;</h3><figure class="table" style="width:115.45%;"><table class="ck-table-resized"><colgroup><col style="width:9.96%;"><col style="width:9.52%;"><col style="width:7.45%;"><col style="width:12.05%;"><col style="width:12.38%;"><col style="width:18.54%;"><col style="width:11.11%;"><col style="width:7.89%;"><col style="width:11.1%;"></colgroup><thead><tr><th>Rule Type</th><th>Protocol</th><th>Port Range</th><th>Source/Destination</th><th>Description</th><th>Security Group ID</th><th>CIDR Block</th><th>IPv6 CIDR Block</th><th>Security Group Name</th></tr></thead><tbody><tr><td>Inbound</td><td>TCP</td><td>22</td><td>0.0.0.0/0</td><td>Allow SSH access</td><td>sg-0123456789abcdef0</td><td>0.0.0.0/0</td><td>::/0</td><td>my-security-group</td></tr><tr><td>Inbound</td><td>TCP</td><td>80</td><td>0.0.0.0/0</td><td>Allow HTTP traffic</td><td>sg-0123456789abcdef0</td><td>0.0.0.0/0</td><td>::/0</td><td>my-security-group</td></tr><tr><td>Inbound</td><td>TCP</td><td>443</td><td>0.0.0.0/0</td><td>Allow HTTPS traffic</td><td>sg-0123456789abcdef0</td><td>0.0.0.0/0</td><td>::/0</td><td>my-security-group</td></tr><tr><td>Outbound</td><td>All</td><td>All</td><td>0.0.0.0/0</td><td>Allow all outbound</td><td>sg-0123456789abcdef0</td><td>0.0.0.0/0</td><td>::/0</td><td>my-security-group</td></tr></tbody></table></figure><h2 style="text-align:justify;">Useful Commands of Security Groups</h2><figure class="table"><table><thead><tr><th>Command</th><th>Description</th></tr></thead><tbody><tr><td><pre><code class="language-plaintext">aws ec2 create-security-group</code></pre></td><td>Creates a new security group.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 delete-security-group</code></pre></td><td>Deletes an existing security group.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 describe-security-groups</code></pre></td><td>Describes one or more security groups.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 authorize-security-group-ingress</code></pre></td><td>Adds a rule to a security group allowing inbound traffic from a specified source.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 revoke-security-group-ingress</code></pre></td><td>Removes a rule from a security group that allows inbound traffic from a specified source.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 authorize-security-group-egress</code></pre></td><td>Adds a rule to a security group allowing outbound traffic to a specified destination.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 revoke-security-group-egress</code></pre></td><td>Removes a rule from a security group that allows outbound traffic to a specified destination.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 update-security-group-rule-descriptions</code></pre></td><td>Updates the description of a security group rule.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 update-security-group-rule</code></pre></td><td>Updates the properties of a security group rule, such as the protocol, port range, or source/destination.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 describe-security-group-references</code></pre></td><td>Describes the resources that are associated with a specified security group, such as instances, network interfaces, and VPC peering connections.</td></tr><tr><td><pre><code class="language-plaintext">aws ec2 describe-security-group-rules</code></pre></td><td>Describes the inbound and outbound rules for a specified security group.</td></tr></tbody></table></figure><h2 style="text-align:justify;">Best Practices for Security Groups</h2>If you are confused about how to start with defining rules for your security group, here are some best practices for creating and defining SGs in AWS.<ul><li>Always go for the “deny-all” rule: The deny-all rule essentially blocks all traffic except for the exceptions you have defined in the rules of your SG. This helps block unwanted traffic.</li><li>Limit access using particular IP ranges: You can limit the traffic to your resources by defining specific IP addresses and port ranges.</li><li>Categorize role-based SGs: When you create multiple SGs, it might be tough to keep track of them. To avoid this, you can team them up based on their roles.</li><li>Conduct regular audits:&nbsp;With various changes in an AWS infrastructure, there will be a need to alter the nature of instances as well as security groups. Use automation tools to keep track of the changes and streamline the process of your SGs.&nbsp;</li></ul><h2 style="text-align:justify;">Conclusion</h2>In the AWS ecosystem, a security group refers to a virtual firewall that controls and manages the inbound and outgoing server traffic. Security groups are created along with EC2 instances, but you can define the role of an SG by altering its components. By using the filters as per the needs of the server, you can create a security group that filters the traffic efficiently.Read More<a href="https://devopsden.io/article/roles-and-responsibilities-of-a-devops-engineer">https://devopsden.io/article/roles-and-responsibilities-of-a-devops-engineer</a>Follow us on<a href="https://www.linkedin.com/company/devopsden/">https://www.linkedin.com/company/devopsden/</a>

As an Application Engineer at Xoogle Global Technologies Pvt. Ltd., I contributed to the development, testing, and deployment of web applications for various clients. I used my skills in Salesforce B2B Commerce, Web Development, and Ethical Hacking to create secure, scalable, and user-friendly solutions that met the business requirements and expectations of the customers.
                    I have a Diploma in Computer Science from Hanswahini Institute of Science and Technology, where I learned the fundamentals of programming, web design, and web applications. I also completed multiple certifications and courses in HTML, CSS, and AJAX to enhance my knowledge and proficiency in web development. I am passionate about exploring new technologies and trends in the field of internet of things (IOT), and I share my insights and experiences on my blog, Subopali. My goal is to leverage my skills and expertise to create innovative and impactful web applications that solve real-world problems and improve people's lives.

WedNov222023DSC_0244 (1) (1).jpg

I am full-stack developer and experienced Software Engineer with a demonstrated history of working in the information technology and services industry

What is a Security Group in AWS?

Information

Contact Us

What is a Security Group in AWS?

Subscribe to Us

Information

Contact Us