Security Groups

Security Groups

In this tutorial, we are going to explore about how to secure EC2 instances using security groups inbound and outbound rules.

Security is an important aspect of the cloud; we must ensure that all our resources are secure and protected. AWS offers different services to protect different resources in the Cloud. One of the basic components of security is security groups. In this lesson, we will review security groups and learn about rules and best practices. Security groups are like firewalls to the associated resources; they control the inbound and outbound traffic for an associated resource.

Security groups are used to secure EC2 instances from unwanted requests. We need to specify a security group to secure our EC2 instance whenever we launch an instance. If no security group is selected, EC2 uses the default security group of the VPC. The default security group allows all outbound traffic and only allows inbound requests from resources within the same security group. 

AWS Security Groups
Key Features of EC2 Security Groups

1. Instance-Level Security

Security groups are attached to individual EC2 instances. Multiple instances can share a security group, or each instance can have its own unique configuration.

2. Stateful Rules

Security groups are stateful, meaning that if an inbound request is allowed, the response is automatically allowed, regardless of outbound rules.

3. Allow Rules Only

Security groups support allow rules, but they don’t support deny rules. Any traffic not explicitly allowed is implicitly denied.

4. Dynamic Rules

Rules in a security group can be modified at any time. Changes take effect immediately, making it easy to update security configurations on live instances.

5. Direction-Based Filtering

  • Inbound Rules: Control incoming traffic to instances. You can specify IP ranges, protocols, and port numbers to allow only trusted connections.
  • Outbound Rules: Control outgoing traffic from instances, which is useful for restricting internet access or controlling access to other AWS services.

Now Let’s look deeper at security group rules and how to use them to secure our EC2 instances. 

Security group rules

Security group rules control inbound and outbound traffic to the resource. These rules allow traffic filtering based on protocols, port numbers and IP addresses. Security group rules are always permissive, which means no port or protocol can be explicitly denied. The following rules control the incoming and outgoing traffic:

Inbound rules

  • Inbound rules are used to define incoming traffic to the associated resources.
  • By default, all inbound traffic is denied.
  • When multiple inbound rules apply to a traffic type, the rule with the most matching IP range, port, and protocol takes precedence.
  • For example, common port numbers SSH (22) for secure remote access, HTTP (80) for web browsing, and FTP (20, 21) for file transfer allow traffic from anywhere IPv4 address (0.0.0.0/0).

Outbound rules

  • Outbound rules define the outgoing traffic from the associated resource to the internet.
  • All outgoing traffic from the associated resource is allowed by default.
  • When different outbound rules apply to a specific traffic type, the rule with the most matching IP range, port, and protocol takes precedence.

When launching an EC2 instance, we can attach an existing security group or create a new one. We can also modify the existing security group and add new rules or remove some rules. We can also attach multiple security groups to an EC2 instance, where all the rules for each group are logically aggregated to create one set of rules. It helps to evaluate the traffic efficiently and properly.

Security group rules

We can also allow inbound traffic to a resource from certain security groups; this helps us secure the resource in a more efficient manner.

It is important to note that security groups are stateful—if a request is initiated through an instance, the response traffic of that request is allowed regardless of the inbound rules.

Security group best practices
  • Least privilege principle: Adhere to the principle of least privilege, only allowing necessary traffic to and from instances.
  • No deny rule: There is no explicit “deny” rule. If a rule is not explicitly allowed, it is denied by default.
  • Separation of duties: Use different Security Groups for different purposes (e.g., web servers, database servers) to enhance security and management.
  • Restrict SSH/RDP Access: Limit SSH (port 22) and RDP (port 3389) access to known IP addresses rather than opening them to the internet.
  • Use Security Groups for Internal Access Control: Leverage security groups for internal applications by using source security groups instead of IP ranges. This simplifies management and enhances security.
  • Review and Update Security Group Rules Regularly: Periodically review security group configurations to ensure they meet current security requirements and remove unnecessary access.
  • Monitor Security Group Activity: Use AWS CloudTrail and CloudWatch to monitor changes to security group configurations, set alerts, and log activities for audit purposes.
Configuring Security Group Rules

Security group rules define which traffic is allowed based on protocol, port number, and source/destination.

  • Protocol: You can specify the protocol (e.g., TCP, UDP, ICMP) for each rule.
  • Port Range: Define the specific ports or port ranges to allow traffic, such as HTTP (port 80), HTTPS (port 443), or custom application ports.
  • Source/Destination: Specify IP ranges (e.g., 0.0.0.0/0 for public access, or a private IP range for internal communication) or other security groups to allow traffic only from trusted sources.
Common Security Group Configurations

1. Public Web Server

  • Inbound: Allow HTTP (port 80) and HTTPS (port 443) from all IP addresses (0.0.0.0/0).
  • Outbound: Allow all traffic or restrict to specific services or IP ranges as needed.

2. Database Server

  • Inbound: Allow traffic on the database port (e.g., MySQL on port 3306) from the IP addresses of application servers or security groups.
  • Outbound: Restrict to specific IP ranges or services.

3. Internal Services

  • Inbound: Allow only from specific IP ranges, or other instances using security groups to limit access.
  • Outbound: Control outbound traffic to reduce access to the internet or specific services.

4. SSH Access

  • Limit SSH (port 22) access to specific trusted IP addresses or networks, rather than allowing from all IPs.

That’s all about how to secure EC2 instances using security groups inbound and outbound rules. If you have any queries or feedback, please write us at contact@waytoeasylearn.com. Enjoy learning, Enjoy AWS Tutorials.!!

Security Groups
Scroll to top