Do you use AWS? If you do or if you intend to you will make sure that the service is secure regarding cloud workloads and projects.
To handle the firewall configuration, AWS uses Security Groups that support the control of network traffic associated with EC2 instances.
What are AWS Security groups?
AWS has Security groups which are the firewall configuration for your services. It acts as a virtual firewall to control traffic.
AWS provides security groups that filter the incoming and outgoing traffic from an EC2 instance. It filters the traffic at TCP and IP layers via source/destination IP addresses and their respective ports.
Security Groups specify which ports are open to incoming traffic which controls the security of the machine. In AWS, every EC2 instance and other services which have Elastic Network Interface(ENI) use the security group configuration to filter what type of traffic should be allowed.
Every port is closed and many firewall systems will have "DENY" rules, so AWS blocks everything unless there is a rule that specifies it to go through. Every packet that doesn't match any rules will be dropped immediately.
If you want to run a web server on an EC2 instance or ECS instance, you will have to create a security group that allows port 80 and port 443 through the firewall.
You can edit the default security groups that come with most of the instances or you can create your own security group that can be applied to multiple instances.
How Do Security Groups Work?
You won't need to configure ufw or iptables on each server because AWS's firewall system happens in their network. Elastic Network Interface handles it and connects your instance to the network. ENI handles traffic for services that use EC2, ECS, and EKS. For Different network connections, instances can have multiple Elastic Network Interfaces and multiple security groups for each of them.
If you want to launch an EC2 instance then you will have to assign it to a security group. Then you can add rules to those security groups that will allow the traffic to or from services including associated instances.
You can't create rules that deny access. If you have the traffic coming from an Elastic Load Balancer to a subnet then AWS security groups will list that ELB as their permitted source.
Working With Security Groups From The AWS Console
- AWS EC2 Management Console handles the configuration of Security groups. Go to the EC2 console and find "Network and Security" in the sidebar. then click on the security groups
- Now, you can see a list of all the security groups used by your instances. You can create new security groups or you can edit the existing ones.
- You need to set the Inbound and Outbound rules which will enable specific inbound traffic.
- Alright, now you need to configure the protocol, you can specify custom TCP/UDP ports too. You can specify ICMP or custom protocols too
- Then, allows access from a specific source. If you choose "Anywhere", it will leave it open o if you choose "My IP", it will whitelist your current machine. You can also specify CIDR notation for subnets
- You'll have to give a name to it. You can give it a description and tag too. Then you can swap your instances or other services to a new security group.