Amazon EC2 How to – Part 3: Security Group

by Alexander Weiß

In my previous blog post I wrote about what Amazon EC2 Security Groups are. Now it is time to get a practical lesson in how to create and configure a Security Group. You’ll see that they are easy to manage.

Let’s take a look at the Security Groups in the Amazon EC2 Management Console. Open the Amazon EC2 Management Console and select “Security Groups” in the left bar. After you have done that select the “default” Security Group and open the tab “Inbound”. You will see that there are already some rules defined:

Amazon EC2 How To - Security Groups predefined rules

Amazon EC2 How To – Security Groups predefined rules

As you can see, the “Group ID” of the “default” Security Group is the source of every protocol and for every protocol every port is open. This means that the “default” Security Group does not block any traffic between instances which are part of the “default” Security Group. In the screenshot you can see two additional rules, one for SSH and one for HTTP. I added them, because I wanted to use SSH for administrative tasks and host websites on the instances belonging to the “default” Security Group. Now I am going to apply the role concept of the Security Groups. You can read more about the role concept here.

Create a Security Group

To realize a role based approach I have to do three things: first, create new Security Groups for the roles Webserver and SSH. Second, I have to add my instances to the new Security Groups. After that I have to remove the rules from the “default” Security Group.

Reopen the “Security Group” window of the Amazon EC2 Management Console. To create a new Security Group you simply have to click the button in the upper left corner. After you clicked it a window pops up and you have to give a name and a description for the Security Group. You also have to choose, if this Security Group is part of a VPC. For my example I named the Security Group “SSH” and gave “open SSH port for shell access” as the description and chose “No VPC” for the VPC setting.

Now I want to open the SSH ports. Lucky me, there exists a predefined rule for the SSH service. I choose “SSH” in the dropdown menu “Create a new rule”. The default value for the traffic source is 0.0.0.0/0 which translates to no access restriction.

Amazon EC2 How To - Security Groups: ssh rule

Amazon EC2 How To – Security Groups: ssh rule

And that is exactly what I want. So I click on “Add Rule”. The rule appears in the window, but to apply the new settings I have to click the “Apply Rule Changes” button.

The process of adding new rules is pretty straight, but there is just one more thing I want to mention: if you want to limit the access to a specific service to a single IP address you have to be careful and provide the IP address in the right manner. The CIDR part of the IP address, the number after the slash, must not be zero in this case, it has to be 32. So if you want to limit the SSH access to the IP 192.168.1.2 the correct source would be 192.168.1.2/32. If you want to restrict the access to the Security Group to the EC2 region you can use 10.0.0.0/8 as the source, because all private IP addresses in the EC2 cloud are inside this address block.

I create the Webserver Security Group in the same manner.

Manage Security Groups

Now I have three Security Groups: default, SSH and Webserver. I’m going to remove the rule “default” from the instance and add the roles “SSH” and “Webserver”. Go to the “Instances” windows of the Amazon EC2 Management Console and select the instance for which you want to change the Security Groups. Under “Instance Actions”->”Change Security Group” you can add or remove Security Groups. This feature is only available for VPCs, though. If you run normal instances you can select them only at launch time.
I add the two Security Groups “SSH” and “Webserver” and remove the Security Group “default”, because I don’t want that the instance is accessible by other instances in the “default” Security Group.
The Security Group “default” still contains the rules for HTTP and SSH. I don’t need them anymore, so I’m going to remove them. I navigate back to the “Security Groups” window and select the “default” Security Group. Go to the Tab “Inbound” and simply click on the “delete” link. Don’t forget to apply the changes by clicking the “Apply Rule Changes” button.

Amazon EC2 How To - Security Groups: delete rules

Amazon EC2 How To – Security Groups: delete rules

The changes of the “default” Security Group take place immediately and every instance in this Security Group is bound to the new rule set. If I still have instances with a Webserver or SSH server in the “default” Security Group they aren’t accessible from the internet anymore. I have to add them to the Security Groups “SSH” and “Webserver”, too.

After reading this short how to, you have to agree that it is easy to create and manage Security Groups, or don’t you? And do you see the potential they have? At least I think that Security Groups are implemented well. The only thing I dislike is that you can’t change the Security Groups on non VPC instances after launch.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)