AWS Security Groups basics explained

In the previous post we talked about bastion host in VPC and how using it we can make our environment more secure. One of the things we had to do is to configure an AWS Security group, which is some kind of firewall. It takes care about our network resource protection. Each EC2 instance must have it. In this post, we are going to have a deep dive into this topic. No prior knowledge is required.

Creating an AWS Security group

To manage all your security groups, you should go under EC2 section in your region. Please note – Security group is a VPC resource! So if you create a security group in a particular VPC, it means it will be available for use only in this particular VPC.

In EC2 dashboard under “Network & Security” section select “Security groups” as per screenshot below. You will see a full list of security groups currently defined for a selected region.

Security groups configuration

Let’s go ahead and create a new one. Click “Create security group” on the top right corner. You will be asked to provide some basic info about new group:
Security group name. Will allow to more easily identify a security group. This name is meant to be used by a human, AWS identifies all groups by id, which is auto-generated. So think a bit and give a meaningful name to a group. Please note, the name cannot be changed after the group has been created!
Description. Here it is a good practice to briefly describe what this group is meant for. For example, “Security group allows HTTP/HTTPS connections to web server”. Don’t skip this opportunity, because after some time you can forget why / for what purpose this group has been created.
VPC. Drop-down list with all VPCs defined for this region. If there is only one VPC defined, there will be no choice at all.

Let’s skip for now adding any inboud / outbound rules, as we want to see which rules are present in an AWS Security group by default, if no other rules have been defined.
You can also add some tags if you wish and then press “Create security group”

Security Group default rules

Now let’s open our newly created security group and look at it – let’s see which rules (if any) it has by default. If we open inbound rules as per screen below, you can see that there are no rules defined at all. If we go to outbound rules, we can see that there is one rule defined – All traffic, all protocol, all port range. It means that any outbound traffic is allowed by default. But what about inbound traffic? To understand that, let’s talk in details how security group decides whether allow or block traffic

Inbound rules for a security group

How Security group works

Here is an algorithm how AWS Security group decides whether allow or block traffic:
1) Go through the list of rules (allow rules) from top to bottom
2) If a rule allowing this particular type of traffic is found, allow traffic and stop searching the list
3) If no rule for this particular type of traffic is found, block it
4) If this traffic is return traffic (answer to some request) – allow it. Doesn’t matter whether a corresponding rule exists or not.

Some important take-away from this algorithm you should keep in mind:
In Security groups only “allow” rule is used (no deny rule could be configured)
AWS Security group is stateful, meaning that return traffic is always allowed.
– In the end of inbound / outbound rules there is an implicit deny rule, meaning that if traffic doesn’t match any rule, it is blocked (denied).

Adding a new rule

To add a new rule, select a needed tab (Inbound or outbound rules tab) and press “Edit inbound/outbound rules”. You will see a list of currently defined rules and a button for adding a new one – press “Add rule”. Then you will see something similar to screenshot below.

Creating a new inbound rule

Let’s configure a new rule to allow inbound SSH traffic. As a reminder, SSH uses TCP protocol and port 22. First we need to select a traffic type in “Type” column. If we are going to configure a custom port (not from well-known port range), when we should select “Custom TCP” or “Custom UDP”, depending on which protocol we are going to use. If it is a well-known port, like in SSH case, let’s scroll list down and find “SSH”. Pay attention, that “Port range” column will be populated automatically with “22”.
Next, we need to decide on “Source” column. It defines from which IP address or IP address range traffic will be accepted. So we can here from drop-down select out of 4 options: IP range, Any IPv4 address, any IPv6 address, My IP. If we select “My IP”, your current IP address will be automatically placed there. Since we configuring a rule for SSH, we would like to limit the IP addresses the traffic will be accepted from. Ideally we should place here only 1 IP address if possible. In opposite, if we have a web-server and configuring a security group to allow web traffic (HTTP/HTTPS), in the “Source” column we will select “Anywhere-IPv4”, meaning that any person from Internet can access our web page. That’s most probably what we want to achieve.
Important to remember, that in AWS Security groups, it doesn’t matter in which order we configure the rules. First matching rule we do the game. If non matches, the traffic will be denied.

In the next post we will continue talking about security basics and will discuss AWS Network Access Control Lists and how they differ from AWS Security Groups. Stay turned!


Leave a Reply