AWS security groups refer to the virtual firewall that manages traffic in EC2 instances. Using effective filters, a security group manages both inbound and outbound traffic in an EC2 instance.
AWS is the go-to platform for businesses that require different cloud solutions for optimizing their workflow, be it for storage, databases, or virtual private cloud servers. One of the main features of AWS is its enhanced security - this is especially true as AWS offers specialized solutions that can filter traffic as per project needs.
Introduction
Since AWS focuses immensely on the security of its cloud solutions and services, the platform offers security groups (SGs) for its EC2 instances. EC2 instances are virtual servers offering infrastructure that lets businesses run applications on the AWS ecosystem. Security groups are virtual firewalls for the EC2 instances you create in your AWS account. SGs evaluate both inbound and outbound traffic.
Security groups have a crucial role in the AWS ecosystem of solutions. When you create a security group, you can configure it with the kind of filters that you want for the particular instance. The filtering parameters based on which SGs manage traffic include IP protocol, port number, IP address, and CIDR block.
By default, AWS offers a security group for every EC2 instance you create. However, it is better to customize and configure security groups as per the needs of every EC2 instance. This ensures effective filtering of traffic.
Security Group vs NACL
AWS has another security feature known as the Network Access Control Lists (NACLs). NACLs operate at the level of subnets - these lists operate traffic in and out of virtual private clouds. While NACLs and security groups sound similar, there are many distinctions differentiating them.
- Association - Security groups work with EC2 instances. NACLs are more focused on subnets.
- Statefulness - In an AWS ecosystem, statefulness refers to the ability of a security group to automatically track and allow return traffic for certain connections. Security groups are stateful, meaning that if the IP is permitted, then it is authorized. On the other hand, NACLs are stateless.
- Rule Accommodations - Security groups in AWS comply only with the “Allow” rule. NACLs comply with both “Allow” and “Deny” rules.
These are some of the crucial differences between these two features. Understanding the features helps you to build better infrastructures in AWS that fit your security needs.
How do Security Groups Work?
For every EC2 instance you create, there will be a default security group created by AWS. To get the best out of SGs, you have to configure the rules so that you can filter traffic as per business needs. Each rule that is created in AWS contains four components - type, protocol, port range, and source.
The type refers to the type of protocol that is included in the filter. AWS offers you a dropdown of common protocols, including HTTPS and SSH. As for the protocols, it is by default, set to be TCP. You can change it to UDP, ICMP, and others also in different associations, such as IPv4 or IPv6.
Port range is also picked by default, but as per your security and EC2 instance needs and protocol, you can alter the range for better results. As for the source, which is the IP, you can either set a custom IP or a subnet range. While it might seem tempting to give anywhere IP access, this can turn out to be a severe security concern.
How to Create a Security Group in AWS?
While AWS creates a default security group with the creation of every EC2 instance, it is better to create your custom SGs to enhance security. Here are the detailed steps on how to create security groups with filters.
Step 1: Once you log on to your AWS console, go to the EC2 dashboard. Now select the ‘Security Groups’ option from the panel.
Step 2: Select the ‘Create Security Group’ option from the menu. Now, enter the name of the group and provide its description.
This is a crucial step in the process, as the description also involves some filters of the group. Select your VPC (virtual private cloud) where the security group is created, and specify the inbound and outbound rules.
Step 3: Once you have given your choice for the VPC, you can define inbound rules by clicking on ‘New Rule’. These rules can be based on port, support, IP, etc.
Step 4: Similarly, you can create new outbound rules as well. This manages the traffic that leaves your AWS resources.
Step 5: Double-check the rules you have defined. Once everything is set, click ‘Create Security Group’ to get started.
The Rules Found in AWS Security Groups
| Field | Description |
|---|---|
| Rule Type | Specifies if the rule is inbound or outbound. |
| Protocol | The protocol to which the rule applies (e.g., TCP, UDP, ICMP). |
| Port Range | The port or port range to which the rule applies (e.g., 80, 443, 1024-65535). |
| Source/Destination | The source (for inbound rules) or destination (for outbound rules) IP address range (e.g., 0.0.0.0/0). |
| Description | A description of the rule. |
| Security Group ID | The ID of the security group to which the rule is associated. |
| CIDR Block | The CIDR block from which traffic is allowed (for inbound) or to which traffic is allowed (for outbound). |
| IPv6 CIDR Block | The IPv6 CIDR block from which traffic is allowed (for inbound) or to which traffic is allowed (for outbound). |
| Security Group Name | The name of the security group. |
Example
| Rule Type | Protocol | Port Range | Source/Destination | Description | Security Group ID | CIDR Block | IPv6 CIDR Block | Security Group Name |
|---|---|---|---|---|---|---|---|---|
| Inbound | TCP | 22 | 0.0.0.0/0 | Allow SSH access | sg-0123456789abcdef0 | 0.0.0.0/0 | ::/0 | my-security-group |
| Inbound | TCP | 80 | 0.0.0.0/0 | Allow HTTP traffic | sg-0123456789abcdef0 | 0.0.0.0/0 | ::/0 | my-security-group |
| Inbound | TCP | 443 | 0.0.0.0/0 | Allow HTTPS traffic | sg-0123456789abcdef0 | 0.0.0.0/0 | ::/0 | my-security-group |
| Outbound | All | All | 0.0.0.0/0 | Allow all outbound | sg-0123456789abcdef0 | 0.0.0.0/0 | ::/0 | my-security-group |
Useful Commands of Security Groups
| Command | Description |
|---|---|
| Creates a new security group. |
| Deletes an existing security group. |
| Describes one or more security groups. |
| Adds a rule to a security group allowing inbound traffic from a specified source. |
| Removes a rule from a security group that allows inbound traffic from a specified source. |
| Adds a rule to a security group allowing outbound traffic to a specified destination. |
| Removes a rule from a security group that allows outbound traffic to a specified destination. |
| Updates the description of a security group rule. |
| Updates the properties of a security group rule, such as the protocol, port range, or source/destination. |
| Describes the resources that are associated with a specified security group, such as instances, network interfaces, and VPC peering connections. |
| Describes the inbound and outbound rules for a specified security group. |
Best Practices for Security Groups
If you are confused about how to start with defining rules for your security group, here are some best practices for creating and defining SGs in AWS.
- Always go for the “deny-all” rule: The deny-all rule essentially blocks all traffic except for the exceptions you have defined in the rules of your SG. This helps block unwanted traffic.
- Limit access using particular IP ranges: You can limit the traffic to your resources by defining specific IP addresses and port ranges.
- Categorize role-based SGs: When you create multiple SGs, it might be tough to keep track of them. To avoid this, you can team them up based on their roles.
- Conduct regular audits: With various changes in an AWS infrastructure, there will be a need to alter the nature of instances as well as security groups. Use automation tools to keep track of the changes and streamline the process of your SGs.
Conclusion
In the AWS ecosystem, a security group refers to a virtual firewall that controls and manages the inbound and outgoing server traffic. Security groups are created along with EC2 instances, but you can define the role of an SG by altering its components. By using the filters as per the needs of the server, you can create a security group that filters the traffic efficiently.
Read More
https://devopsden.io/article/roles-and-responsibilities-of-a-devops-engineer
Follow us on
Table of Contents
