{"id":281886,"date":"2021-06-23T14:44:35","date_gmt":"2021-06-23T11:44:35","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/what-are-aws-security-groups-and-how-do-you-use-them-cloudsavvy-it\/"},"modified":"2021-06-23T14:44:35","modified_gmt":"2021-06-23T11:44:35","slug":"what-are-aws-security-groups-and-how-do-you-use-them-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/what-are-aws-security-groups-and-how-do-you-use-them-cloudsavvy-it\/","title":{"rendered":"#What Are AWS Security Groups, and How Do You Use Them? \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a25714fd742a\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a25714fd742a\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-aws-security-groups-and-how-do-you-use-them-cloudsavvy-it\/#Security_Groups_Are_AWSs_Firewall_System\" >Security Groups Are AWS\u2019s Firewall System<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-aws-security-groups-and-how-do-you-use-them-cloudsavvy-it\/#How_Do_Security_Groups_Work\" >How Do Security Groups Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-aws-security-groups-and-how-do-you-use-them-cloudsavvy-it\/#Best_Practices_For_Security_Groups\" >Best Practices For Security Groups<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-aws-security-groups-and-how-do-you-use-them-cloudsavvy-it\/#Working_With_Security_Groups_From_The_AWS_Console\" >Working With Security Groups From The AWS Console<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#What Are AWS Security Groups, and How Do You Use Them? \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-5269\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/06\/e601b806.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"AWS Logo\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>AWS handles firewall configuration using Security Groups. Every EC2 instance or other service with an Elastic Network Interface (ENI) uses your security group configuration to decide which packets to drop and what type of traffic should be allowed.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Security_Groups_Are_AWSs_Firewall_System\"><\/span>Security Groups Are AWS\u2019s Firewall System<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Essentially, a Security Group is a firewall configuration for your services. It defines what ports on the machine are open to incoming traffic, which directly controls the functionality available from it as well as the security of the machine.<\/p>\n<p>By default, every port is closed. Many firewall systems will have \u201cDENY\u201d rules; AWS instead blocks everything unless there is a rule specifically allowing it to go through. This means that any packet that doesn\u2019t match any rules will be dropped instantly. So, if you want to run a web server on your EC2 or ECS instance, you\u2019ll need to create a security group allowing port 80 and port 443 through the firewall.<\/p>\n<p>Most instances will come with a new default security group out of the box, which you can edit individually, but if you want to, you can also create your own security groups and <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ly them to multiple instances. Then when you edit one group, it\u2019ll open or close ports on all the instances.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_Do_Security_Groups_Work\"><\/span>How Do Security Groups Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Because AWS\u2019s firewall system happens in their network, you don\u2019t have to worry about configuring <code>ufw<\/code>\u00a0or <code>iptables<\/code>\u00a0with commands on each server. It\u2019s handled on the Elastic Network Interface itself, which connects your instance to the network. ENIs handle traffic for EC2 and other services that use instances, like ECS and EKS. Instances can also have multiple ENIs for different network connections, which means they can also have multiple security groups for each one.<\/p>\n<p>Instances can also have multiple security groups for each interface. Since AWS doesn\u2019t deny traffic, each security group will be compounded, allowing access if any of the security groups match for a specific packet.<\/p>\n<p>By default, security groups allow all outbound traffic from your instance. This means it has full internet access, which is usually what you want, but in case you don\u2019t, you can deny outgoing traffic as well by removing that rule and manually specifying what kind of traffic you want to let out.<\/p>\n<p>Security groups are also stateful. If you send a request going out from your instance, whatever traffic comes back from that request is allowed to come back in regardless of inbound security rules, and vice versa for requests coming in and responses going out.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Best_Practices_For_Security_Groups\"><\/span>Best Practices For Security Groups<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Since security groups are mostly just firewalls, regular best practices for Linux servers apply here. You shouldn\u2019t create security groups with large port ranges, since it\u2019s unnecessary and just opens up more ports to attack. You should keep most ports blocked, such as FTP and CIFS ports. You should consider whitelisting SSH access to specific administrative IPs, or setting up an OpenVPN server and whitelisting access to that.<\/p>\n<p>Since you can apply security groups to multiple instances, you should do so wherever possible. Using discrete groups for each individual instance can lead to misconfiguration or mismanagement. For example, you may need to close a port after an application update. If you have multiple servers with different groups, you may forget to close the port on one of them.<\/p>\n<p>And, in <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a>, you should not allow access to <code>0.0.0.0\/0<\/code>, or \u201cAll IP Addresses\u201d, unless absolutely necessary. For many things, like databases, you should leave these closed down to the specific instances that need them.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Working_With_Security_Groups_From_The_AWS_Console\"><\/span>Working With Security Groups From The AWS Console<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Security Group configuration is handled in the AWS EC2\u00a0Management Console. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/console.aws.amazon.com\/ec2\/v2\/home?tag=reviewgeek-20\">Head over to the EC2 Console<\/a> and find \u201cSecurity Groups\u201d under \u201cNetworking &amp; Security\u201d in the sidebar.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12095\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/22f54b8a.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"319\" height=\"256\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You should see a list of all the security groups currently in use by your instances. You can edit the existing ones, or create a new one:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12096\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/3fa1d51d.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"700\" height=\"275\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The main configuration is simply setting Inbound and Outbound rules, mostly enabling specific inbound traffic since all outbound is enabled by default.<\/p>\n<p>First, you\u2019ll need to configure the protocol. You can specify custom TCP\/UDP ports, but there are also preset options for things like HTTP and certain databases. You can also specify ICMP or entirely custom protocols.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-12097\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/45dd6f63.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"521\" height=\"312\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Then, you\u2019ll need to allow access from a specific source. You can choose \u201cAnywhere\u201d which will leave it open, or \u201cMy IP\u201d which will whitelist your current machine. You can also specify custom CIDR notation for specific subnets.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>What are Subnets, and How Do They Affect My Network?<\/em><\/strong><\/p>\n<p>One very useful feature of the console is whitelisting access to other security groups. This takes the pain out of configuring CIDR blocks or manually adding IP addresses; any instance using the specified security group will be allowed by the rule.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12098\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/d35d9d8b.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"700\" height=\"403\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Beyond that, you\u2019ll need to give it a name, and optionally a description and tag.<\/p>\n<p>Then, you can swap your instances or services over to the new security group. For EC2 instances, you can do this from the console by right-clicking and selecting \u201cSecurity &gt; Change Security Groups.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12102\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/ce4e58f1.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"544\" height=\"419\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/12059\/what-are-aws-security-groups-and-how-do-you-use-them\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#What Are AWS Security Groups, and How Do You Use Them? \u2013 CloudSavvy IT&#8221; AWS handles firewall configuration using Security Groups. Every EC2 instance or other service with an Elastic Network Interface (ENI) uses your security group configuration to decide which packets to drop and what type of traffic should be allowed. Security Groups Are&#8230;<\/p>\n","protected":false},"author":1,"featured_media":281887,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/06\/e601b806.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-281886","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/281886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=281886"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/281886\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/281887"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=281886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=281886"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=281886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}