How do AWS Security Groups work?
AWS Security Groups are essential components that help you secure your resources on Amazon Virtual Private Cloud (Amazon VPC). With Security Groups, you can restrict which types of traffic can enter your resources, including specific ports, source IP ranges, or even protocols.
Next, you will learn quickly how AWS Security Groups work with their default inbound and outbound rules.
What are AWS Security Groups?
AWS Security Groups operate as virtual firewalls controlling incoming and outgoing traffic between Amazon EC2 Instances through inbound and outbound rules.
How do AWS Security Groups work?
When you create an Amazon account to configure your VPC, automatically, it comes with multiple default Subnets and a default Security Group.
AWS Security Groups are designed to protect EC2 instances through inbound and outbound traffic rules. In essence, Security Groups are the first line of defense that works at the instance level. This means that each instance that you assign to a Security Group will be subject to the security group rules associated.
It’s important to highlight that an instance in a subnet in your VPC can be assigned up to five different Security Groups. If at the time of launching an instance in your VPC, you do not select the group or groups associated with the instance, it will be linked to the default Security Group.
You can use the command line (AWS Tools for Windows PowerShell/AWS CLI) or Amazon EC2 console to create a specific new Security Group.
UTMStack advises creating a new AWS Security Group based on interest-specific rules. In this way, the traffic rules launched automatically for a default security group won’t be affected. However, keep in mind that you can use or modify the default Security Group rules, but you cannot remove the default group.
AWS Security Group default rules
A default Security Group also has assigned default rules:
- Default inbound rule.
- Default outbound rules.
The unique default inbound rule allows the Security Group to accept inbound traffic from all network protocols and ports (network interfaces). Also, it allows the inbound traffic between the instances assigned to the same security group. Therefore, the traffic out to the Internet is accepted by default only if the Security Group is associated with a default VPC.
The default outbound rule allows whole outbound traffic for all IPv4 through all protocols and port ranges. Similarly exist, another default rule with the same permission for all IPv6. However, the last default rule is automatically added if you create a VPC with an IPv6 CIDR block or associate an IPv6 CIDR block with your existing VPC.
In turn, if you create a new Security Group, it will have a unique outbound rule that allows all traffic to leave the instances. You must add rules to enable any inbound traffic or restrict the outbound traffic.
AWS Security Group rules
Each Security Group, based on its purpose, will require inbound and outbound traffic rules to allow communication of the instances. Basically, the rules represent a whitelist of permissive inbound and outbound traffic, which means you cannot add rules to deny traffic.
Inbound rules define the incoming traffic an AWS Security Group allows to its associated instances. Outbound rules define the allowed traffic that leaves the EC2 machines associated with the Security Group.
You can add inbound and outbound rules in the AWS Security Groups specifying the following components:
- Protocol: Network Protocols such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
- Port range: A particular port or a port range to allow traffic.
- Source (only for inbound rules): The source traffic can be a specific IP, IP range, or other security groups that will be allowed access.
- Destination (only for outbound rules): Similar to the inbound rules for source. However, it refers to a destination the security group allows outgoing traffic.
Security Groups have as a particular feature that they are stateful. If you send a request (outbound traffic) from your instance, the response traffic (inbound traffic) will be allowed regardless of the inbound rules and vice versa.
Be careful when launching an instance associated with different Security Groups. Remember that instances attach all rules coming from their associated groups. In consequence, it can affect access to the instance.
Difference between AWS Security Groups and Network
ACLs
Network Access Control Lists (NACLs) act as a firewall that controls traffic in and out of one or more subnets. Therefore, a Network ACL operates at the subnet level, and a Security Group acts at the instance level. When security groups ‘ rules are too permissive, they are an optional additional security layer to your VPC.
A Network ACL is a more advanced security mechanism that recognizes both allows rules and denies rules.
Unlike AWS Security Groups, Network ACLs are stateless, which means the return traffic must be explicitly allowed by inbound rules.
You must understand that Network ACLs analyze all the rules in ascending order to decide if the traffic is allowed. In other words, an accept or deny rule can be executed for that traffic according to the priority order. On the other hand, security groups evaluate all the rules before deciding whether to allow traffic or not.
The users associate the AWS Security groups with the EC2 instances at launch or after creating them. Instead, ACLs are automatically applied to all instances in the subnets associated with ACLs.
Conclusions
The only way to protect your Amazon EC2 Instances from unauthorized access is to understand how AWS Security Groups work. Implementing best practices will help you manage inbound and outbound traffic that flows to and from your instances through restrictive rules.
