Cloud Security & Operations Learning Center
Learn the Fundamentals

What are Security Groups in Amazon Web Services (AWS?)

Introduction to AWS Security Groups

Amazon web services provide a wide range of IT infrastructure, on-demand, and scalable cloud computing services. As such, many clients will tend to trust the platform if it allows for some level of security regarding cloud workloads and projects -- and where network traffic can be filtered appropriately.

To maintain and provide this level of security, AWS is built with security groups that support some degree of control of network traffic associated with EC2 instances.

A security group is an AWS firewall solution that performs one primary function: to filter incoming and outgoing traffic from an EC2 instance. It accomplishes this filtering function at the TCP and IP layers, via their respective ports, and source/destination IP addresses.

The Function of Security Groups

Every Security Group works in a similar fashion to a firewall as it carries a set of rules that filter traffic entering and leaving the EC2 instances. As said earlier, security groups are associated with the EC2 instances and offer protection at the ports and protocol access level. Typically, the firewall possesses a ‘Deny rule,’ but the SG has a “Deny All” that allows data packets to be dropped if no rule is assigned to them from the source IP.

Also, when compared to a Network Access Control List (NACL), security groups form the first layer of defense at the instance level in a cloud computing environment whereas NACLs provides a second layer of protection at the subnet level.

When creating a security group, each group will be assigned to a particular virtual private cloud VPC. It's also an excellent approach to give each group a name and description for easy access from the account menus. It’s also important to note that when creating a security group, you should ensure that it is assigned to the VPC it’s meant to protect to avoid errors.

Rules guiding AWS Security Groups

AWS Security Groups have a set of rules that filter traffic in two ways: inbound and outbound. Since AWS security groups are assigned differently, you won’t be needing the same rules for both inbound and outbound traffic. Thus, any provision that permits traffic into the EC2 instance will ultimately filter outbound traffic.

To further break this down each rule is made up of four principal components: Type, Protocol, Port Range, and Source. There is also a space for a description as well.

The rule allows for selection of the common type of protocols such as HTTP, SSH, etc., and it opens a drop-down menu were all the protocols are listed.

Protocols are automatically selected to be the TCP. However, it can be changed to UDP, ICMP as well as assigns a corresponding association to IPv4 or IPv6.

Port Range is also pre-filled, but you can decide to choose the port range of your choice depending on the protocol. Nonetheless, there will be times when you will have to use the custom port range number. A selection of ICMP will grey out the port selection option as it is not a layer 4 protocol.

Source (custom IP) this can be a particular IP address or a subnet range. However, you can grant access using the anywhere source IP (0.0.0.0/0) value. Allowing access through the anywhere source can turn out to be a mistake every AWS user should avoid. It will be a discussion in the best practices section below.

Some Tips on Configuring Security Groups:

1. Avoid incoming traffic through (0.0.0.0/0).

One common mistake is to allow inbound traffic from (0.0.0.0/0). It could end up exposing sensitive cloud information to outside threats. Though the security group performs its initial layer filtering when all inbound traffic is allowed but ultimately allows for many risks during the process.

Avoid opening the floodgates to the entire internet

The best thing to do is permit only necessary IP ranges and their respective ports to send incoming traffic, and all other connection attempts will be dropped. When working with EC2 instances, all workloads are only exposed based on the implemented rules of the Security Group applied to that instance.

2. Delete unused security groups

There is no need to keep a security group not assigned to an EC2 instance. Ensure that all unused SG’s are deleted to keep the working environment clean and less at risk to link the AWS to the outside world.

3. Enable Tracking and Alerting

AWS comes with some unique set of tools that allows its user to keep track of working information. The AWS Cloudtrail is a cloud tool that enforces the compliance of AWS.

It’s apparent that the right deployment of Security Groups and Network access control lists will go a long way in providing first and second layer form of security for an AWS account.