AWS EC2: Security Groups

A security group is a collection of rules which control the traffic into and out of an AWS resource.

Rules come in two flavours:

  • inbound rule (or ingress rule) — controls inbound traffic to the resource; and
  • outbound rule (or egress rule) — controls outbound traffic from the resource.

A security group also has the following attributes:

  • name
  • description
  • VPC
  • ID (something like sg-08e590f76b7380bd7 which is automatically assigned) and
  • tags (optional).

🚨 Your account will have a distinct set of security groups for each AWS region.

Defining a Security Group

  1. Go to the EC2 Dashboard.
  2. Select Security Groups from the menu.
  3. Press .
  4. Press the in either the Inbound rules or Outbound rules section.
  5. Fill in the details of the rule.
  6. Repeat the previous two steps until you’ve added all of the required rules. You can add multiple rules to a single security group.
Adding inbound rules to a security group.
  1. Press .

Security Group Mayhem

AWS will helpfully create new security groups for you. I used to absently let AWS just create a security group for each new resource. This was a mistake. My account became cluttered with a random assortment of old security groups. There was no system. Complete disorder.

An accumulation of many security groups.

Curated Security Groups

I’ve come to appreciate the value of a curated collection of security groups. Here’s a sample of the ones I’ve set up:

  • exodus — outbound traffic on all protocols to all ports anywhere;
  • http — inbound TCP traffic on port 80;
  • https — inbound TCP traffic on port 443;
  • ssh — inbound TCP traffic on port 22;
  • openvpn — inbound TCP traffic on port 443 and UDP traffic on port 1194;
  • shiny — inbound TCP traffic on port 3838; and
  • flask — inbound TCP traffic on port 5000.

Some details below.

Exodus

This is a simple security group which allows outbound traffic on all ports to all destinations. The rule is defined using the All traffic type and the Anywhere destination.

📢 You can use the aws CLI tool to inspect the details of a security group. Make sure that you’ve got it installed and configured!

aws ec2 describe-security-groups --group-ids sg-08e590f76b7380bd7
{
    "SecurityGroups": [
        {
            "GroupName": "exodus",
            "Description": "All outbound ports",
            "GroupId": "sg-08e590f76b7380bd7",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ]
                }
            ]
        }
    ]
}
The configuration above was abridged for clarity. This applies to the configurations below too.

The permissions do not specify a protocol or port, and the IP range 0.0.0.0/0 matches all addresses in the IPv4 address space.

HTTPS & HTTPS

This pair of security groups allows inbound access on ports 80 & 443. The rules are defined using the HTTP and HTTPS types and the Anywhere source.

{
    "SecurityGroups": [
        {
            "GroupName": "https",
            "Description": "HTTPS",
            "IpPermissions": [
                {
                    "FromPort": 443,
                    "ToPort": 443,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ]
                }
            ]
        },
        {
            "GroupName": "http",
            "Description": "HTTP",
            "IpPermissions": [
                {
                    "FromPort": 80,
                    "ToPort": 80,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ]
                }
            ]
        }
    ]
}
The configuration above contains settings for _two_ security groups.

The permissions specify both protocol and port, and apply to all destination addresses.

Shiny

This security group, which allows inbound access on port 3838, is defined using the Custom TCP type and the Anywhere source.

{
    "SecurityGroups": [
        {
            "GroupName": "shiny",
            "Description": "Shiny",
            "IpPermissions": [
                {
                    "FromPort": 3838,
                    "ToPort": 3838,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ]
                }
            ]
        }
    ]
}

Flask

This security group, which allows inbound access on port 5000, is defined using the Custom TCP type and the Anywhere source.

{
    "SecurityGroups": [
        {
            "GroupName": "flask",
            "Description": "Flask",
            "IpPermissions": [
                {
                    "FromPort": 5000,
                    "ToPort": 5000,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ]
                }
            ]
        }
    ]
}

Conclusion

Establishing a clean, curated set of security groups will allow you to quickly and easily control access to your AWS resources.