Amazon Web Services (AWS) is one of the world’s leading secure cloud hosting platforms today. It offers excellent computing scalability and flexibility for its users through the Amazon Elastic Compute Cloud (EC2) virtual servers, also known as instances.
Many organizations leave the security of these instances in the hands of Amazon, but for a very small few, Amazon’s default security configurations are insufficient. Amazon is responsible for security of the cloud and the user is responsible for security in the cloud. This is known as the Shared Responsibility model which means the user needs to take steps to secure their instances (workloads). This includes both security controls as well as updates in configuration settings. One of the things users can do is use a security group.
In this blog, we go over what AWS security groups are and what to look for when choosing the right setting for your needs.
What Are AWS Security Groups?
An AWS security group is a virtual firewall for your EC2 instances. It secures your cloud environment by ensuring all incoming or outgoing traffic passes through approved protocols and ports, allowing only traffic from specific IP addresses.
Every time you launch an EC2 instance, you must create a customized security group for it. This means providing the rules for filtering inbound and outbound traffic. Security group rules have certain attributes, including:
- Rules don’t deny access, they permit access based on ports and protocols.
- Depending on the type, you may associate several groups to one instance, which the EC2 will treat effectively as a single ruleset.
- You can change security group rules anytime. The EC2 will automatically implement them to the associated instances.
- If there are several rules for one port, the AWS applies the most permissive or weakest rule.
Types of AWS Security Groups
There are two kinds of Amazon EC2 infrastructures that AWS users should be familiar with: EC2-Classic and EC2-VPC. Let’s take a look at the differences between their security groups.
EC2-Classic
EC2-Classic refers to the original Amazon EC2 platform. Classic instances operate in a single network shared with other AWS user accounts. Here, you can’t change the security group nor create rules for outbound traffic. However, you may still add or modify inbound traffic rules. Moreover, EC2-Classic security groups only support IPv4, an older but still widely used internet protocol that provides the logical connection between the majority of networked devices.
In Classic, you can have up to:
- 500 groups per region,
- 100 rules in a security group, and
- up to 800 security group rules in one instance.
Security groups created for VPC cannot be used for EC2-Classic instances.
EC2-VPC
In Amazon Virtual Private Cloud or VPC, your instances are in a private cloud, and you may add up to five AWS security groups per instance. You may add or delete inbound and outbound traffic rules. You can also add new groups even after the instance is already running. VPC security groups support both IPv4 and IPv6 addressing protocols.
Keep in mind that all AWS accounts created after December 4, 2013, are in the EC2-VPC platform. Though you can convert EC2-Classic accounts and migrate their instances to VPC, you cannot transfer Classic security groups. But you can still copy the old rules using the EC2 console.
Selecting the Right AWS Security Group
There’s no one-size-fits-all solution when it comes to security groups. The best security group is one tailored precisely to your cloud environment’s unique needs. For expert guidance, consider consulting an AWS security specialist to define the optimal group rules for your instances. Here are some proven best practices to help you maximize the effectiveness of your AWS security groups:
- Restrict outbound traffic to specific destinations or ports. This ensures the cloud data doesn’t go anywhere they aren’t supposed to be.
- Prevent inbound traffic from 0.0.0.0/0, which allows any IP address to be a source. This makes your data more vulnerable to hacking, DDoS attacks, and other threats that may enter the cloud.
- Enable flow logging on your cloud. This allows you to track all traffic going in and out of each instance. You’ll also be able to check for security groups that need their rules changed, such as those that permit access from unknown IP addresses.
- Limit access to ports 445 and 20/21 to authorized parties only. Port 445, which is usually for Common Internet File System or CIFS protocol use, can allow outsiders to access your data through the internet. Likewise, ports 20/21 are often used for File Transfer Protocol (FTP), which lets users download files online.
How Alert Logic Protects You on AWS
Knowing what AWS security groups are is integral to further understanding how to protect your organization’s cloud infrastructure. But security groups aren’t the only way to protect your data and applications on the AWS cloud, and they shouldn’t be your only line of defense.
Fortra’s Alert Logic’s native AWS security services provide intrusion detection, log analysis, and web app threat protection to give you complete visibility of security threats, and the best prevention and response in the industry. Learn more about our security measures to protect AWS customers.
