Wiz
AcademyUnderstanding AWS Security Groups

Understanding AWS Security Groups

One of the fundamental challenges you face with a cloud computing service like AWS is that you can’t implement all of the security controls that would be available to you on-premises, since you don’t have access to the physical infrastructure that powers your cloud environment. For example, you can’t set up the same types of network firewalls, because you don’t control your cloud provider’s network infrastructure. What you can do, however, is take advantage of solutions like AWS Security Groups, a powerful framework for controlling which network traffic can flow to and from cloud-based virtual machines.

Wiz Experts Team

What are AWS Security Groups?

AWS Security Groups are software-defined firewalls that control traffic to EC2 instances. In other words, a Security Group is a set of policies that determine which other resources on the network your EC2-based virtual machines can interact with. Security Groups can also specify which networking protocols EC2 instances are allowed to use.

Security Groups can enforce rules to govern traffic between EC2 instances and external endpoints on the Internet, like a client who wants to connect to a website you host on an EC2 instance. They can also control internal traffic within your AWS environment, such as that which flows between EC2 instances.

Why are AWS Security Groups important?

AWS Security groups are one of the simplest and most effective ways to manage network traffic to EC2 instances. By placing restrictions on exactly which endpoints your VMs can talk to, Security Groups significantly reduce the exposure of your EC2 instances to network-based threats.

For example, imagine you have an EC2 instance that you use for application development and testing purposes. You don’t want to expose the EC2 instance to the Internet in general, because you don’t want anyone to be able to access the development apps you have running on it. You do, however, want the instance to be able to connect to other resources running inside your cloud environment such as databases because you may need those resources when testing your app. To enforce this setup, you could configure an AWS Security Group that allows inbound and outbound traffic only from a local subnet, and only on the ports that your app needs to interact with databases.

You may also want to ensure that you can use SSH to log into your EC2 instance from your personal computer, which is not hosted in the AWS cloud. You can do so by creating an additional Security Group rule that allows connections on port 22 (the SSH port) from the Internet, but not on other ports like 80 or 443, which are used for the web. Exposing additional ports would unnecessarily increase the attack surface of your EC2 instance. If your personal computer has a static IP address, you could also write a rule that allows connections only from that address.

Security Groups vs. ACLs and firewalls

Security Groups aren’t the only means of filtering network traffic for EC2 instances. Another method is to use a network Access Control List (ACL) within a Virtual Private Cloud (VPC). This lets you control which traffic can flow into and out of your VPC. Compared to Security Groups, an ACL is harder to set up because you have to configure more fields than Security Groups require. ACLs are also designed to control traffic at the subnet level, rather than the level of individual VM instances, so they don’t provide as much granular control.

Another way to filter traffic in EC2 is to use a firewall provided by the operating system running on your instance. For example, you could use iptables on a Linux instance to control traffic. The downside of this approach is that it is more work to configure, because iptables rules are more complex than AWS Security Group rules. In addition, with an OS-level firewall, malicious traffic can still reach your instances, and possibly slip through in the event that you made a mistake in your firewall configuration. With Security Groups, AWS completely blocks traffic based on the rules you specify, so malicious packets never touch your VMs. Security Groups can also ensure that sensitive data can never travel from your VMs to specific destinations.

How to create or change AWS Security Groups

Working with AWS Security Groups is straightforward. You can create or modify a Security Group via the AWS Console by selecting Security Groups, and then creating a Security Group and defining rules for it like which protocols, ports, and IP addresses you want to allow.

Source: https://aws.amazon.com/blogs/aws/new-descriptions-for-security-group-rules/

For example, to allow HTTP access from any IPv4 address, you would configure a rule to allow HTTP traffic via the TCP protocol on port 80 in the address range 0.0.0.0/0. You’d also want to allow HTTPS access on port 443 if your website enforces encryption.‍

You can also create and manage Security Groups from the AWS CLI. To do so, first create a Security Group with a command like:

aws ec2 create-security-group --group-name my-sg \
      --description "My security group"

Then, add rules to it with commands like:

aws ec2 authorize-security-group-ingress \
    --group-name my-sg --protocol tcp \
    --port 3389 --cidr x.x.x.x

If you don’t specify a Security Group for your EC2 instance, AWS will use the default security group, which allows traffic from anywhere and to anywhere, on all protocols.

Keeping AWS Security Groups secure

While AWS Security Groups are an excellent way to help secure EC2 instances, they are only as good as they are accurate. Small configuration mistakes, such as specifying the wrong port number or forgetting to update a traffic rule when an endpoint’s IP address changes, could expose your instances to attack.

It’s important to monitor your Security Group configurations on an ongoing basis. By deploying tools that continuously audit your traffic rules and alert you to potential misconfigurations, you can get ahead of Security Group risks before attackers exploit them.

Continue Reading

Top cloud vulnerabilities for 2022

The popularity of cloud computing has grown exponentially in recent years, reducing costs, improving availability of service, and driving collaboration. With increased access and infrastructure being hosted on public-facing, shared platforms, come security challenges that cannot be met using outdated controls from traditional data centers. Cloud vulnerabilities take many forms, and it has never been more important for organizations to secure their accounts, subscriptions, VPCs, access control lists, and security groups from threats.

Top cloud computing security challenges

Understanding which security challenges you face when deploying applications and data into cloud environments is the first step in securing your cloud. Those challenges may vary depending on how your cloud is configured and which clouds you use, but in general, the typical organization faces the following core challenges when it comes to cloud computing security.

Google Cloud security best practices

While you may understand cloud security best practices that you should adhere to across multi-cloud environments, your security posture on Google Cloud Platform (GCP) relies on also addressing security challenges specific to the platform. You need to understand the Google shared responsibility model, distinctions between securing GCP and other clouds, and take advantage of the many tools available to secure your workloads hosted on the platform.

Cloud security basics and best practices

Shifting from on-prem to the cloud can open up significant possibilities for your organization. The cloud is economical, easily scalable, and can be accessible to users across your company. Along with the growth and flexibility it provides, moving to the cloud can also expose your organization to cyber security threats. It is essential that as your organization grows on the cloud, you also strive to protect your cloud-based environments, applications, and data.

Azure security tools your organization should consider

While Microsoft Azure can provide growth and flexibility, moving to the cloud can expose your organization to cyber security threats. Keeping Azure workloads secure requires deploying the right security tools. Azure is subject to a variety of risks, so you need multiple tools to keep your environment secure. Although no one tool provides end-to-end security on its own, each does its part to help you maintain a strong security posture for Azure-based workloads.