What is Amazon EC2 – Part 5: Security Group

by Alexander Weiß

When you create a new Amazon EC2 instance you have to assign a Security Group. As the name implies the purpose of them is to keep your data safe. They increase security by filtering the network traffic to your instance. But why doesn’t Amazon call them firewall?

Often people say that an Amazon EC2’s Security Group is the same as a firewall. There is nothing wrong with that, but firewall is a generic term. There are many different types; some of them are very sophisticated. To figure out what firewall features the Security Groups offer it is worth to take a closer look at the capabilities of Security Groups.

What is Amazon EC2 - Security Groups

What is Amazon EC2 – Security Groups

Security Group features

The Security Group filters all traffic coming to the instance. It doesn’t matter if the traffic originates in the EC2 cloud or comes from outside the cloud. The filter works on three different protocols: TCP, UDP and ICMP. For TCP and UDP you can specify which ports are open, by default they are all closed. ICMP doesn’t use ports, so you only have the option to allow it or not. If you open ports it means that they are completely open. The Security Group can’t inspect the packets in a more sophisticated way. Besides the protocol and the port, there is only one thing more which you can configure: the source of the traffic.

Usually firewalls work in both directions, but Security Groups only filter the incoming traffic. There is no way to control the outbound traffic. Another drawback is that the Security Groups don’t have DROP or DENY rules. As long as you don’t create a rule which allows certain traffic everything is blocked. Last but not least, there is no log about what the Security Group drops or allows. This can make problem tracking tedious.

As you can see a Security Groups lacks a lot of features even simple firewalls have. However, this is not a bad thing, because the Security Groups are easy to understand and easy to manage. But there are not only differences in the amount of features between firewalls and Security Groups, there are also conceptual differences which make Security Groups perfect for the EC2 cloud.

 Security Groups role based concept

When an instance is launched with a given Security Group the rules of the Security Group are activated for the instance. This process is completely independent of the instance, so it doesn’t matter if the instance has an active firewall or not.

If you have to manage many instances you don’t have to create a specific Security Group for every purpose, because you can combine Security Groups. For example, you can create one Security Group for HTTP access and one for SQL access. If you use Security Groups in this way they are more like a security role than just a set of firewall rules.

For example, if you have three different kinds of instances: one which only hosts websites, another which only hosts a database and a third one which offers both services. You could create three different Security Groups, one for each instance type. Or you could create two Security Groups: one that allows HTTP traffic and one that allows SQL traffic. The third instance would belong to both Security Groups in this example. In this case you would save one Security Group. In more complex environments the savings of Security Groups could ease the security management significantly. As Security Groups only allow ACCEPT rules the results of combining Security Groups are easily understandable. Therefore misconfigurations should be rare.

Another advantage of the role concept is that you can use the Security Group as a filter for the source traffic. You don’t have to manage IPs if you want to limit access to a certain subset of your instances. You aren’t even restricted to your own Security Groups, you can use the Security Groups from anyone in the same EC2 region. This concept makes it very easy to deal with the dynamic environment the EC2 cloud is.

I hope I clearly explained the benefits and drawbacks of a Security Group. As I explained earlier Security Groups have not the same features as most firewalls. But they are perfectly suited for the EC2 cloud, because their concept is easy to understand. If they would provide more features like DROP and DENY rules, the role based concept wouldn’t work that well anymore, because the resulting rules could be very complex. If the Security Groups offer not enough safety for your purposes you can always add a local firewall on your instances. In many cases the additional protection is necessary.

After this theoretical approach you can learn how you create and manage Security Groups in my short How to guide.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)