DEV Community

Cover image for Unsung HERO - AWS SG
Anuvindh for AWS Community Builders

Posted on • Edited on

Unsung HERO - AWS SG

DAY 3 - The Unsung HERO AWS Security group

☁️100 days of Cloud- Day Three
Follow Me on Twitter

Cover

Tweet This Blog - Read on GitHub - iCTPro.co.nz

An unknown FLAW

Your developer left an flaw & that imaginary flaw is scanned and identified by a hacker. The hacker might try to exploit the server using this unknown vulnerability.
What happens in such scenarios when that app is hosted on a EC2 Server, Will the hacker get access to the EC2?
In Simple the answer is NO.💪Security groups will deny the communication (unless you open all ports to 0.0.0.0/0)🥺. So configuring SG with least privilege gives you an additional layer of security.

You can monitor and report to the cloud or security administrator this fraudulent attempt using CloudWatch or SNS

AWS Security groups (SG)

A security group acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic.

Basics

  • You can assign upto five SG per instance.
  • Works on Instance Level Not Subnet Level.
  • Can assign ALLOW rules not DENY rules.
  • Can assign separate rules for inbound and outbound traffic.
  • SG are Stateful, which means SG will keeps track of the state of interaction

Use Cases

i. Monitoring and controlling requests to Application Load Balancers and Classic Load Balancers.

Using firewall manager console you can define which requests your in-scope load balancers should serve. The traffic that comply with SG will reach the load balancers and and only allow outbound as the outbound rule defined.

ii. Internet-accessible, public Amazon VPC(0.0.0.0/0).

For example port 443 need to be enabled for public we can achieve this by successfully configuring the HTTPS PORT -443 to Public(0.0.0.0/0).

iii. Public and Private Amazon VPC instances.

In addition to a public subnet, we can can limit communication between the public resources and the private ones

iv. Default network interface for Amazon EC2 instances

Allow only standard communications

v. Identify resources with open permissions
You can use an audit security group policy to identify all resources within your organization that have permission to communicate with public IP addresses or that have IP addresses that belong to third-party vendors.

Examples of rules that you can add to security groups for specific kinds of access.

Web Servers

Protocol type Port Source IP Notes
TCP 80 (HTTP) 0.0.0.0/0 Allows inbound HTTP access from any IPv4 address
TCP 443 (HTTPS) 0.0.0.0/0 Allows inbound HTTPS access from any IPv4 address
TCP 80 (HTTP) ::/0 Allows inbound HTTP access from any IPv6 address
TCP 443 (HTTPS) ::/0 Allows inbound HTTPS access from any IPv6 address

Database Server

Protocol type Port Notes
TCP 1433 (MS SQL) The default port to access a Microsoft SQL Server database, for example, on an Amazon RDS instance
TCP 3306 (MYSQL/Aurora) The default port to access a MySQL or Aurora database, for example, on an Amazon RDS instance
TCP 5439 (Redshift) The default port to access an Amazon Redshift cluster database.
TCP 5432 (PostgreSQL) The default port to access a PostgreSQL database, for example, on an Amazon RDS instance
TCP 1521 (Oracle) The default port to access an Oracle database, for example, on an Amazon RDS instance

Rules to connect to instances from your computer

Protocol type Port Source IP
TCP 22 (SSH) The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range.
TCP 3389 (RDP) The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range.

Rules for ping/ICMP

Protocol type ICMP type ICMP code Source IP
ICMP 8 (Echo Request) N/A The public IPv4 address of your computer, or a range of IPv4 addresses in your local network.
ICMPv6 128 (Echo Request) 0 The IPv6 address of your computer, or a range of IPv6 addresses in your local network.

DNS server rules

Protocol type Protocol number Port
TCP 6 53
UDP 17 53

Amazon EFS rules

Protocol type Ports Source IP Notes
TCP 2049 (NFS) The ID of the security group Allows inbound NFS access from resources (including the mount target) associated with this security group

Top comments (0)