Unsung HERO – AWS SG

DAY 3 – The Unsung HERO AWS Security group

☁️100 days of Cloud- Day Three
Follow Me on Twitter

Cover

Tweet This Blog – Read on GitHub – iCTPro.co.nz

An unknown FLAW

Your developer left an flaw & that imaginary flaw is scanned and identified by a hacker. The hacker might try to exploit the server using this unknown vulnerability.
What happens in such scenarios when that app is hosted on a EC2 Server, Will the hacker get access to the EC2?
In Simple the answer is NO.💪Security groups will deny the communication (unless you open all ports to 0.0.0.0/0)🥺. So configuring SG with least privilege gives you an additional layer of security.

You can monitor and report to the cloud or security administrator this fraudulent attempt using CloudWatch or SNS

AWS Security groups (SG)

A security group acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic.

Basics

  • You can assign upto five SG per instance.
  • Works on Instance Level Not Subnet Level.
  • Can assign ALLOW rules not DENY rules.
  • Can assign separate rules for inbound and outbound traffic.
  • SG are Stateful, which means SG will keeps track of the state of interaction

Use Cases

i. Monitoring and controlling requests to Application Load Balancers and Classic Load Balancers.

Using firewall manager console you can define which requests your in-scope load balancers should serve. The traffic that comply with SG will reach the load balancers and and only allow outbound as the outbound rule defined.

ii. Internet-accessible, public Amazon VPC(0.0.0.0/0).

For example port 443 need to be enabled for public we can achieve this by successfully configuring the HTTPS PORT -443 to Public(0.0.0.0/0).

iii. Public and Private Amazon VPC instances.

In addition to a public subnet, we can can limit communication between the public resources and the private ones

iv. Default network interface for Amazon EC2 instances

Allow only standard communications

v. Identify resources with open permissions
You can use an audit security group policy to identify all resources within your organization that have permission to communicate with public IP addresses or that have IP addresses that belong to third-party vendors.

Examples of rules that you can add to security groups for specific kinds of access.

Web Servers

Protocol typePortSource IPNotes
TCP80 (HTTP)0.0.0.0/0Allows inbound HTTP access from any IPv4 address
TCP443 (HTTPS)0.0.0.0/0Allows inbound HTTPS access from any IPv4 address
TCP80 (HTTP)::/0Allows inbound HTTP access from any IPv6 address
TCP443 (HTTPS)::/0Allows inbound HTTPS access from any IPv6 address

Database Server

Protocol typePortNotes
TCP1433 (MS SQL)The default port to access a Microsoft SQL Server database, for example, on an Amazon RDS instance
TCP3306 (MYSQL/Aurora)The default port to access a MySQL or Aurora database, for example, on an Amazon RDS instance
TCP5439 (Redshift)The default port to access an Amazon Redshift cluster database.
TCP5432 (PostgreSQL)The default port to access a PostgreSQL database, for example, on an Amazon RDS instance
TCP1521 (Oracle)The default port to access an Oracle database, for example, on an Amazon RDS instance

Rules to connect to instances from your computer

Protocol typePortSource IP
TCP22 (SSH)The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range.
TCP3389 (RDP)The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range.

Rules for ping/ICMP

Protocol typeICMP typeICMP codeSource IP
ICMP8 (Echo Request)N/AThe public IPv4 address of your computer, or a range of IPv4 addresses in your local network.
ICMPv6128 (Echo Request)0The IPv6 address of your computer, or a range of IPv6 addresses in your local network.

DNS server rules

Protocol typeProtocol numberPort
TCP653
UDP1753

Amazon EFS rules

Protocol typePortsSource IP Notes
TCP2049 (NFS)The ID of the security group Allows inbound NFS access from resources (including the mount target) associated with this security group

Subscribe Now

Share on

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email
Share on telegram
Share on tumblr