Understanding AWS security groups

Amazon Web Services (AWS) is a comprehensive platform offering a vast array of cloud computing services, including IT infrastructure solutions that are on-demand and scalable. A key aspect of AWS’s appeal is its emphasis on security, particularly the ability to filter network traffic effectively for cloud workloads and projects. This is where AWS security groups play a pivotal role.

What are security groups?

A security group in AWS serves as a firewall solution, primarily designed to filter both incoming and outgoing traffic associated with an EC2 instance. This filtering occurs at the TCP and IP layers, involving specific ports and source/destination IP addresses.

Security Group vs. Network Access Control List (NACL)

Security groups and NACLs both contribute to the defense layers in AWS’s cloud computing environment. While security groups offer the first layer of defense at the instance level, NACLs provide a secondary layer of protection at the subnet level.

The Function of Security Groups

Each security group functions similarly to a traditional firewall, containing a set of rules that govern the traffic moving in and out of EC2 instances. These groups are integral to the EC2 instances, protecting the protocol and port access level. Unlike typical firewalls that have a ‘Deny rule,’ AWS security groups operate on a “Deny All” basis, which means that traffic is automatically dropped unless explicitly allowed by a rule.

Rules guiding AWS Security Groups

Security groups in AWS have distinct rules for inbound and outbound traffic. Each rule comprises four key components:

• Type: Allows the selection of common protocols (e.g., HTTP, SSH).
• Protocol: Typically set to TCP by default, but can be changed to UDP, ICMP, and others.
• Port Range: Pre-filled based on the protocol, with options for custom ranges.
• Source: Specifies the IP address or range for traffic filtering.

The rule allows for selection of the common type of protocols such as HTTP, SSH, etc., and it opens a drop-down menu were all the protocols are listed.

Protocols are automatically selected to be the TCP. However, it can be changed to UDP, ICMP as well as assigns a corresponding association to IPv4 or IPv6.

Port Range is also pre-filled, but you can decide to choose the port range of your choice depending on the protocol. Nonetheless, there will be times when you will have to use the custom port range number. A selection of ICMP will grey out the port selection option as it is not a layer 4 protocol.

Source (custom IP) this can be a particular IP address or a subnet range. However, you can grant access using the anywhere source IP (0.0.0.0/0) value. Allowing access through the anywhere source can turn out to be a mistake every AWS user should avoid. It will be a discussion in the best practices section below.

Configuring Security Groups: Best Practices

• Restrict Inbound Traffic: Avoid using the (0.0.0.0/0) setting for inbound traffic, as it can expose your cloud resources to external threats.
• Limit Access: Only allow necessary IP ranges and ports to manage incoming traffic effectively.
• Clean Up Unused Security Groups: Delete any security groups not in use to maintain a tidy and secure AWS environment.
• Enable Tracking and Alerting: Utilize AWS tools like AWS CloudTrail for monitoring and ensuring compliance.

Avoid incoming traffic through (0.0.0.0/0).

One common mistake is to allow inbound traffic from (0.0.0.0/0). It could end up exposing sensitive cloud information to outside threats. Though the security group performs its initial layer filtering when all inbound traffic is allowed but ultimately allows for many risks during the process.

Avoid opening the floodgates to the entire internet

The best thing to do is permit only necessary IP ranges and their respective ports to send incoming traffic, and all other connection attempts will be dropped. When working with EC2 instances, all workloads are only exposed based on the implemented rules of the Security Group applied to that instance.

Delete unused security groups

There is no need to keep a security group not assigned to an EC2 instance. Ensure that all unused SG’s are deleted to keep the working environment clean and less at risk to link the AWS to the outside world.

Enable Tracking and Alerting

AWS comes with some unique set of tools that allows its user to keep track of working information. The AWS Cloudtrail is a cloud tool that enforces the compliance of AWS.

It’s apparent that the right deployment of Security Groups and Network access control lists will go a long way in providing first and second layer form of security for an AWS account.