DAY 3 - The Unsung HERO AWS Security group
☁️100 days of Cloud- Day Three
✅Follow Me on Twitter
Tweet This Blog - Read on GitHub - iCTPro.co.nz
An unknown FLAW
Your developer left an flaw & that imaginary flaw is scanned and identified by a hacker. The hacker might try to exploit the server using this unknown vulnerability.
What happens in such scenarios when that app is hosted on a EC2 Server, Will the hacker get access to the EC2?
In Simple the answer is NO.💪Security groups will deny the communication (unless you open all ports to 0.0.0.0/0)🥺. So configuring SG with least privilege gives you an additional layer of security.
You can monitor and report to the cloud or security administrator this fraudulent attempt using CloudWatch or SNS
AWS Security groups (SG)
A security group acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic.
Basics
- You can assign upto five SG per instance.
- Works on Instance Level Not Subnet Level.
- Can assign ALLOW rules not DENY rules.
- Can assign separate rules for inbound and outbound traffic.
- SG are Stateful, which means SG will keeps track of the state of interaction
Use Cases
i. Monitoring and controlling requests to Application Load Balancers and Classic Load Balancers.
Using firewall manager console you can define which requests your in-scope load balancers should serve. The traffic that comply with SG will reach the load balancers and and only allow outbound as the outbound rule defined.
ii. Internet-accessible, public Amazon VPC(0.0.0.0/0).
For example port 443 need to be enabled for public we can achieve this by successfully configuring the HTTPS PORT -443 to Public(0.0.0.0/0).
iii. Public and Private Amazon VPC instances.
In addition to a public subnet, we can can limit communication between the public resources and the private ones
iv. Default network interface for Amazon EC2 instances
Allow only standard communications
v. Identify resources with open permissions
You can use an audit security group policy to identify all resources within your organization that have permission to communicate with public IP addresses or that have IP addresses that belong to third-party vendors.
Examples of rules that you can add to security groups for specific kinds of access.
Web Servers
| Protocol type | Port | Source IP | Notes |
|---|---|---|---|
| TCP | 80 (HTTP) | 0.0.0.0/0 | Allows inbound HTTP access from any IPv4 address |
| TCP | 443 (HTTPS) | 0.0.0.0/0 | Allows inbound HTTPS access from any IPv4 address |
| TCP | 80 (HTTP) | ::/0 | Allows inbound HTTP access from any IPv6 address |
| TCP | 443 (HTTPS) | ::/0 | Allows inbound HTTPS access from any IPv6 address |
Database Server
| Protocol type | Port | Notes |
|---|---|---|
| TCP | 1433 (MS SQL) | The default port to access a Microsoft SQL Server database, for example, on an Amazon RDS instance |
| TCP | 3306 (MYSQL/Aurora) | The default port to access a MySQL or Aurora database, for example, on an Amazon RDS instance |
| TCP | 5439 (Redshift) | The default port to access an Amazon Redshift cluster database. |
| TCP | 5432 (PostgreSQL) | The default port to access a PostgreSQL database, for example, on an Amazon RDS instance |
| TCP | 1521 (Oracle) | The default port to access an Oracle database, for example, on an Amazon RDS instance |
Rules to connect to instances from your computer
| Protocol type | Port | Source IP |
|---|---|---|
| TCP | 22 (SSH) | The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range. |
| TCP | 3389 (RDP) | The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range. |
Rules for ping/ICMP
| Protocol type | ICMP type | ICMP code | Source IP |
|---|---|---|---|
| ICMP | 8 (Echo Request) | N/A | The public IPv4 address of your computer, or a range of IPv4 addresses in your local network. |
| ICMPv6 | 128 (Echo Request) | 0 | The IPv6 address of your computer, or a range of IPv6 addresses in your local network. |
DNS server rules
| Protocol type | Protocol number | Port |
|---|---|---|
| TCP | 6 | 53 |
| UDP | 17 | 53 |
Amazon EFS rules
| Protocol type | Ports | Source IP Notes |
|---|---|---|
| TCP | 2049 (NFS) | The ID of the security group Allows inbound NFS access from resources (including the mount target) associated with this security group |
Top comments (0)