What are AWS Security Groups?
AWS Security Groups are software-defined firewalls that control traffic to EC2 instances. In other words, a Security Group is a set of policies that determine which other resources on the network your EC2-based virtual machines can interact with. Security Groups can also specify which networking protocols EC2 instances are allowed to use.
Security Groups can enforce rules to govern traffic between EC2 instances and external endpoints on the Internet, like a client who wants to connect to a website you host on an EC2 instance. They can also control internal traffic within your AWS environment, such as that which flows between EC2 instances.
Why are AWS Security Groups important?
AWS Security groups are one of the simplest and most effective ways to manage network traffic to EC2 instances. By placing restrictions on exactly which endpoints your VMs can talk to, Security Groups significantly reduce the exposure of your EC2 instances to network-based threats.
For example, imagine you have an EC2 instance that you use for application development and testing purposes. You don’t want to expose the EC2 instance to the Internet in general, because you don’t want anyone to be able to access the development apps you have running on it. You do, however, want the instance to be able to connect to other resources running inside your cloud environment such as databases because you may need those resources when testing your app. To enforce this setup, you could configure an AWS Security Group that allows inbound and outbound traffic only from a local subnet, and only on the ports that your app needs to interact with databases.
You may also want to ensure that you can use SSH to log into your EC2 instance from your personal computer, which is not hosted in the AWS cloud. You can do so by creating an additional Security Group rule that allows connections on port 22 (the SSH port) from the Internet, but not on other ports like 80 or 443, which are used for the web. Exposing additional ports would unnecessarily increase the attack surface of your EC2 instance. If your personal computer has a static IP address, you could also write a rule that allows connections only from that address.
Security Groups vs. ACLs and firewalls
Security Groups aren’t the only means of filtering network traffic for EC2 instances. Another method is to use a network Access Control List (ACL) within a Virtual Private Cloud (VPC). This lets you control which traffic can flow into and out of your VPC. Compared to Security Groups, an ACL is harder to set up because you have to configure more fields than Security Groups require. ACLs are also designed to control traffic at the subnet level, rather than the level of individual VM instances, so they don’t provide as much granular control.
Another way to filter traffic in EC2 is to use a firewall provided by the operating system running on your instance. For example, you could use iptables on a Linux instance to control traffic. The downside of this approach is that it is more work to configure, because iptables rules are more complex than AWS Security Group rules. In addition, with an OS-level firewall, malicious traffic can still reach your instances, and possibly slip through in the event that you made a mistake in your firewall configuration. With Security Groups, AWS completely blocks traffic based on the rules you specify, so malicious packets never touch your VMs. Security Groups can also ensure that sensitive data can never travel from your VMs to specific destinations.
How to create or change AWS Security Groups
Working with AWS Security Groups is straightforward. You can create or modify a Security Group via the AWS Console by selecting Security Groups, and then creating a Security Group and defining rules for it like which protocols, ports, and IP addresses you want to allow.
For example, to allow HTTP access from any IPv4 address, you would configure a rule to allow HTTP traffic via the TCP protocol on port 80 in the address range 0.0.0.0/0. You’d also want to allow HTTPS access on port 443 if your website enforces encryption.
You can also create and manage Security Groups from the AWS CLI. To do so, first create a Security Group with a command like:
aws ec2 create-security-group --group-name my-sg \ --description "My security group"
Then, add rules to it with commands like:
aws ec2 authorize-security-group-ingress \ --group-name my-sg --protocol tcp \ --port 3389 --cidr x.x.x.x
If you don’t specify a Security Group for your EC2 instance, AWS will use the default security group, which allows traffic from anywhere and to anywhere, on all protocols.
Keeping AWS Security Groups secure
While AWS Security Groups are an excellent way to help secure EC2 instances, they are only as good as they are accurate. Small configuration mistakes, such as specifying the wrong port number or forgetting to update a traffic rule when an endpoint’s IP address changes, could expose your instances to attack.
It’s important to monitor your Security Group configurations on an ongoing basis. By deploying tools that continuously audit your traffic rules and alert you to potential misconfigurations, you can get ahead of Security Group risks before attackers exploit them.