Chapter-3 EC2-Security Groups

This Chapter is related to AWS Security Groups.

Q) What is Security Group in AWS?

Amazon web Service provides a big scope of IT foundation and distributed computing administrations.

Every customer needs product with some degree of security where system traffic can be sifted properly. For that we need AWS Security Group services.

AWS works with security groups that help some level of control of system traffic related with EC2 instances. In Short,

  • A security group acts as a virtual firewall that controls the traffic for EC2 instances.
  • When we launch an instance, we can specify security group; otherwise, we must use the default security group.
  • We can add rules to customize security group that allow traffic to or from its instances.
  • If required, then we can modify rules(Inbound/Outbound) at any time, and it reflects simultaneously.
  • We can customize our own firewall on EC2 instance, as in some of the cases, our requirements are not met by the defined security groups then we can provide our own firewall on EC2 instance in addition to use security groups.

If you have requirements that doesn’t meet by the defined security groups, you can customize your own firewall on any of your instances in addition to using security groups.

Now we will learn about Security Groups and its uses step by step:

Security Group Inbound Rule -ADD/EDIT/DELETE

Security Group OutBound Rule – ADD/EDIT/DELETE

Additional Security Group -ADD/EDIT/DELETE

Security Group Inbound Rule -ADD/EDIT/DELETE

Step 1: Create EC2 Instance (Already discussed in Chapter 1).

Step 2: You can see Security Group details under Description Tab:

Click on VIEW INBOUND RULES:

Step 3:

You can see Security groups in left side of page.

Click on Inbound tab to see Inbound rules:

Let’s EDIT this and delete that and observe the impact.

Delete this:

Save it.

Navigate to EC2 instance and open url(ip address).

URL wont work because you have removed its inbound condition.

Now add Rule in Inbound Logic.

Now check URL again in browser:

It will reflect immediately.

Security Group OutBound Rule – ADD/EDIT/DELETE

Step 1:

OutBound Rules:

As a security group includes an outbound rule that allows all outbound traffic. We can remove the rule and add outbound rules that allow specific outbound traffic only.

If your security group has no outbound standards, no outbound traffic starting from your instance will be permitted.

Let us practice it and will understand its basic.

Navigate to Outbound tab and EDIT it.

Remove the Outbound rule.

Click on Save.

Let us check the url:

It will work as its inbound rule is working now.

Additional Security Group -ADD/EDIT/DELETE

Step 1: You can add more than 1 Security Group to an EC2 instance.

Navigate to Actions ->Networking->Change Security Groups

Click on Assign Security Groups.

You can observe that two new assigned groups are reflecting here. In this way, we can add multiple Security Groups in EC2 Instance.

In view inbound rules, you can see its full details:

And you can remove Security Groups in same way.

Navigate to Actions ->Networking->Change Security Groups

Post clicking on Assign Security Groups, you can see its reflection on Instance page.

Question and Answer:

  1. Is all Inbound traffic blocked by default?

On Amazon EC2, all inbound traffic is blocked by default.

By adding security group rules, you can specify which traffic you want to allow.

Here default is default security group.

Default Security Group:

I have created one AWS Account Cloudvikas. This Account automatically adds a default security group for the default VPC in each Region.

If i don’t specify a security group when i launch an instance, the instance is automatically associated with the default security group for the VPC.

A default security group is named default, and it has an ID assigned by AWS. The following are the default rules for each default security group:

-Allows all inbound traffic from other instances associated with the default security group.

-Allows all outbound traffic from the instance.

-You can add or remove inbound and outbound rules for any default security group.

-You can’t delete a default security group. If you try to delete a default security group, you see the following error: Client.CannotDelete: the specified group: “sg-51530134” name: “default” cannot be deleted by a user.

This is short description about default security group.

  • 2) Is All Outbound traffic allowed?

By default, a security group includes an outbound rule that allows all outbound traffic. We can remove the rule and add outbound rules that allow specific outbound traffic only. If our security group has no outbound rules, no outbound traffic originating from our instance will be allowed.

  • 3) Verify below statement whether it is correct or wrong?

Changes to Security Groups get effected immediately.

TRUE.

We have seen that once Security Group is modified (Inbound rules) then simultaneously it effects on URL.

  • 4) Verify below statement whether it is correct or wrong?

You can have any number of EC2 instances within a security group.

TRUE.

We can assign up to five security groups to the instance.

Security groups act at the instance level. Each instance in your VPC can be assigned to a different set of security groups. If we don’t specify any particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

  • 5) Verify below statement whether it is correct or wrong?

Multiple security groups can be attached to EC2 Instances.

Ans — TRUE

Security Groups are STATEFUL.

Ans- True

If you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again.

Ans – True

We cannot block specific IP addresses using Security Groups, instead use Network Access Control Lists.

Ans- True

6) How to create a Security Group?

To create a security group using the console

Step 1: Open the Amazon VPC console

Step 2: In the navigation pane, choose Security Groups.

Step 3: Choose Create Security Group.

Step 4: Enter a name for the security group and provide a description.

Step 5: Security Group will be created.

7)What are the basic rules for defining name and description of security groups?

Names and descriptions can be upto 255 characters in length.

Names and descriptions are limited to the following characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*.

A security group name cannot start with sg-.

A security group name must be unique within the VPC.

8) How to delete a rule using the console?

Step 1: Open the Amazon console

Step 2: In the navigation pane, choose Security Groups.

Step 3: Select the security group to update.

Step 4: Choose Actions, Edit inbound rules or Actions, Edit outbound rules.

Step 5: Choose the delete button that you want to delete.

Step 6: Choose Save rules.

9) How to update a rule using the console

Step 1: Open the Amazon console

Step 2: In the navigation pane, choose Security Groups.

Step 3: Select the security group to update.

Step 4: Choose Actions, Edit inbound rules or Actions, Edit outbound rules.

Step 5: Modify the rule entry as required.

Step 6: Choose Save rules.

Related Topics:

Chapter-1 EC2 Instance Creation

Chapter-4 EC2 EBS

Chapter-5 EC2-CloudWatch

Chapter 6 AWS CLI

Chapter 7 AWS Boot Strap Scripts

EC2 Knowledge Check

For latest updates please join FB group cloudvikas.com (search in FaceBook) or click on link Cloudvikasgroup