AWS Security Groups: Instance Level Security

Instance security requires that you fully understand AWS security groups, along with patching responsibility, key pairs, and various tenancy options.

As a precursor to this post, you should have a thorough understanding of the AWS Shared Responsibility Model before moving onto discussing instance-level security within your Virtual Private Cloud (VPC).

In this article, I’ll talk about AWS security groups and how they can be used to protect your EC2 instances. We’ll also explore applying security patches to your instances and multi-tenancy options. If you want to deploy services and resources within the AWS Cloud, understanding the fundamentals of AWS is critical. To dive into the differences between the compute services, check out my course on AWS Compute Fundamentals. This course is the first step in the AWS Fundamentals Learning Path and covers the fundamental elements of all AWS compute services and features that will allow you to select the most appropriate service for your project and implementations. Compute Fundamentals for AWS

AWS security groups and instance security

AWS security groups (SGs) are associated with EC2 instances and provide security at the protocol and port access level. Each security group — working much the same way as a firewall — contains a set of rules that filter traffic coming into and out of an EC2 instance. Unlike network access control lists (NACLs), there are no “Deny” rules. If there is no rule that explicitly permits a particular data packet, it will be dropped.

You should always aim to restrict access with your security group to help maintain restriction of access at the protocol and port level. In addition to this, you should implement the rule of least privilege when it comes to designing and implementing your rules in your security groups. Only allow the access that is needed, and do not apply overly permissive access as this can result in future security breaches and vulnerabilities. 

Create Security Group
Each security group must have a name, allowing you to easily distinguish it from others.  The description is optional, but it does offer you the ability to add additional contextual information to help you understand the security groups. Security groups are specific to a VPC. As a result, during your security groups, you must specify which VPC the SG will reside. Be sure to select the correct VPC for the resource in which you want to protect.

AWS security groups: rules

The actual rule of a security group that filters traffic is defined in two tables: Inbound and Outbound. AWS security groups are stateful, meaning you do not need to add rules for return. Therefore, any rule that allows traffic into an EC2 instance, will automatically allow responses to pass back out to the sender without an explicit rule in the Outbound rule set.

Each rule is comprised of five fields: Type, Protocol, Port Range, Source, and Description. This applies to both Inbound and Outbound rules.

Security Group Rules
  • Type: The drop-down list allows you to select common protocols like SSH, RDP, or HTTP. You can also choose custom protocols.
  • Protocol: This is typically grayed out, as it’s covered by most “Type” choices. However, if you create a custom rule, you can specify your protocol (TCP/UDP, etc.) here.
  • Port Range: This value will also usually be pre-filled, reflecting the default port or port range for your chosen protocol. However, there might be times when you prefer to use custom ports.
  • Source: This can be a network subnet range, a specific IP address, or another AWS security group. You can also leave access open to the entire internet using the “Anywhere (0.0.0.0/0)” value.
  • Description: This field allows you to add a description for the rule that has been added.

Creating a security group

You can create security groups in different ways, such as the AWS CLI or the AWS Management Console. From within the AWS Management Console, you can create a security group during the launch of an EC2 instance, at Step 6: Configure Security Group as shown below. 

Configure Security Group

If you simply want to create a security group without having to launch an instance, you can follow these steps:

1. Log in to the AWS Management Console

2. Select the EC2 service

3. Select “Security Groups” from under the “Network & Security” category on the left: 

Network & Security

4. Select the blue “Create Security Group” button

5. Enter the security group name and description

6. Select the appropriate VPC

7. Add your rules, as required, by selecting the “Add Rule” button.  In the example below, I have added a rule to allow SSH connectivity from the 10.0.1.0/24 subnet

Create Security Group

While AWS security groups are normally associated with instances during their creation, you can also add or remove them from running instances. To carry out these changes via the AWS Management Console: 

1. Log in to the AWS Management Console

2. Select the EC2 service

3. Select “Instances” from under the “Instances” category on the left

4. Select the instance you want to modify

5. Click Actions > Networking > Change Security Groups

Limits

There are a number of default limits to be aware of when creating security groups. These can be defined as follows:

  • VPC security groups per region within your VPC = 2500
  • Rules per security group = 120 (no more than 60 inbound and 60 outbound)
  • Security groups per network interface = 5

OS patch management

Applying the latest security patches to your instances is, again, your responsibility – even if you built your instance from an AWS-defined AMI. No matter which operating system you deploy, I recommend that you regularly download the latest security patches. New vulnerabilities and security flaws are being discovered and fixed all the time, and you can’t afford to ignore them. AWS takes security as its number one priority and we need to do the same. 

After creating an instance, you should download and install the latest patches as you do not know how long ago the AMI was created and it’s very likely that there are a number of security patches available. You could look at automating this process through instance user data when creating your instances. For example, entering the following command on a Linux-based AMI would automatically perform a yum update at instance launch:

yum update -y

The “user data” section can be found in Step 3: Configure Instance Details under “Advanced Details.”

Configure Instance Details

Ensuring the latest patches are installed on your instances, protects you from vulnerabilities and threats to your OS. This is a simple yet necessary security addition to your instance deployment.

Multi-tenancy vs dedicated

Tenancy relates to what underlying host your EC2 instance will reside on, essentially the physical server within an AWS Data Center. When deploying your instances, you will have the opportunity to specify 1 of 3 tenancy options for your instance:

With these options available to you, there are pros and cons to each.  

  • Shared Tenancy: This option will launch your EC2 instance on any available host with the specified resources required for your selected instance type, regardless of which other customers and users also have EC2 instances running on the same hosts; therefore, the “shared” tenancy name. AWS implements advanced security mechanisms to prevent one EC2 instance from accessing another on the same host. How this security is applied and operated is out of scope of this course and is maintained by AWS.
  • Dedicated Tenancy: This includes both dedicated instances and dedicated hosts:
    • Dedicated instances are hosted on hardware that no other customer can access — it can only be accessed by your own AWS account. You may be required to launch your instances as a dedicated instance due to internal security policies or external compliance controls. Dedicated instances do incur additional charges due to the fact you are preventing other customers from running EC2 instances on the same hardware, and there will likely be unused capacity remaining. However, the hardware might be shared by other resources you have running in your own account.
    • Dedicated hosts are effectively the same as dedicated instances; however, they offer additional visibility and control over how you can place your instances on the physical host. They also allow you to use your existing licenses, such as per-VM license, or windows server licenses, etc. Using dedicated hosts gives you the ability to use the same host for a number of instances that you want to launch and align with any compliance and regulatory requirements.  

If you do not need to address any compliance or security issues that require dedicated tenancy, then I recommend using shared tenancy to reduce your overall costs. Not all instance types are eligible for dedicated tenancy, so if you are thinking of using it, consult the AWS documentation.

EC2 key pairs

At the very end of your EC2 instance creation, you will need to select an existing Key Pair or create and download a new one.

But what is a key pair and what is it used for? 

A key pair, as the name implies, is made up of two components: a public key and a private key.

The function of key pairs is to encrypt the login information for Linux and Windows EC2 instances and then decrypt the same information, allowing you to authenticate onto the instance. The public key encrypts data, such as the username and password. For Window instances, the private key is used to decrypt this data, allowing you to gain access to the login credentials including the password. For Linux instances, the private key is used to remotely connect onto the instance via SSH.

The public key is held and kept by AWS, and the private key is your responsibility to keep and ensure that it is not lost. 

So, going back to when you create your EC2 instance and a new key pair, you are given the opportunity to download the key pair. Once you have done this, you must keep that file safe until you are ready to log onto the associated EC2 instance. It’s worth noting that you can use the same key pair on multiple instances to save you from managing multiple private keys. Do bear in mind; however, should the private key become compromised, access could be gained to all instances where that key pair was used.

Once you have authenticated to the EC2 instance the first time, you can set up additional less privileged access controls, such as local Windows accounts allowing other users to connect and authenticate to or even utilize Microsoft Active Directory.secu.

Let’s review what we’ve seen.

  • Instance level security is your responsibility and it’s up to you to implement as much or as little as you see fit for your purpose. I recommend implementing security groups with the principle of least privilege. I have seen people leaving themselves vulnerable to attacks through wide-open security groups.
  • Implement a patch management policy/strategy when deploying your instances.
  • Weigh the additional security against the cost when deciding on your instance tenancy (e.g., shared vs. dedicated): Do you really need the additional physical separation of dedicated tenancy?
  • Finally, understand and manage your EC2 instance key pairs and keep your private keys safe to ensure you can connect to your instances.

You might also want to take the following course, which also touches on some of the information covered within this post: Working with AWS Networking and Amazon VPC.

Thank you for taking the time to read my article. If you have any feedback please do leave a comment below.

Avatar

Written by

Stuart Scott

Stuart is the AWS content lead at Cloud Academy where he has created over 40 courses reaching tens of thousands of students. His content focuses heavily on cloud security and compliance, specifically on how to implement and configure AWS services to protect, monitor and secure customer data and their AWS environment.


Related Posts

Joe Nemer
Joe Nemer
— September 15, 2020

New Content: Azure DP-100 Certification, Alibaba Cloud Certified Associate Prep, 13 Security Labs, and Much More

This past month our Content Team served up a heaping spoonful of new and updated content. Not only did our experts release the brand new Azure DP-100 Certification Learning Path, but they also created 18 new hands-on labs — and so much more! New content on Cloud Academy At any time, y...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Joe Nemer
Joe Nemer
— August 28, 2020

AWS Certification Practice Exam: What to Expect from Test Questions

If you’re building applications on the AWS cloud or looking to get started in cloud computing, certification is a way to build deep knowledge in key services unique to the AWS platform. AWS currently offers 12 certifications that cover major cloud roles including Solutions Architect, De...

Read more
  • AWS
  • AWS Certifications
Patrick Navarro
Patrick Navarro
— August 25, 2020

Overcoming Unprecedented Business Challenges with AWS

From auto-scaling applications with high availability to video conferencing that’s used by everyone, every day —  cloud technology has never been more popular or in-demand. But what does this mean for experienced cloud professionals and the challenges they face as they carve out a new p...

Read more
  • AWS
  • Cloud Adoption
  • digital transformation
Avatar
Andrew Larkin
— August 18, 2020

Constant Content: Cloud Academy’s Q3 2020 Roadmap

Hello —  Andy Larkin here, VP of Content at Cloud Academy. I am pleased to release our roadmap for the next three months of 2020 — August through October. Let me walk you through the content we have planned for you and how this content can help you gain skills, get certified, and...

Read more
  • alibaba
  • AWS
  • Azure
  • content roadmap
  • Content updates
  • DevOps
  • GCP
  • Google Cloud
  • New content
Alisha Reyes
Alisha Reyes
— August 5, 2020

New Content: Alibaba, Azure AZ-303 and AZ-304, Site Reliability Engineering (SRE) Foundation, Python 3 Programming, 16 Hands-on Labs, and Much More

This month our Content Team did an amazing job at publishing and updating a ton of new content. Not only did our experts release the brand new AZ-303 and AZ-304 Certification Learning Paths, but they also created 16 new hands-on labs — and so much more! New content on Cloud Academy At...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Alisha Reyes
Alisha Reyes
— July 16, 2020

Blog Digest: Which Certifications Should I Get?, The 12 Microsoft Azure Certifications, 6 Ways to Prevent a Data Breach, and More

This month, we were excited to announce that Cloud Academy was recognized in the G2 Summer 2020 reports! These reports highlight the top-rated solutions in the industry, as chosen by the source that matters most: customers. We're grateful to have been nominated as a High Performer in se...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • OWASP
  • OWASP Top 10
  • Security
  • VPCs
Avatar
Cloud Academy Team
— July 9, 2020

Which Certifications Should I Get?

The old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and companies. With all that in mind, the s...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— July 2, 2020

New Content: AWS, Azure, Typescript, Java, Docker, 13 New Labs, and Much More

This month, our Content Team released a whopping 13 new labs in real cloud environments! If you haven't tried out our labs, you might not understand why we think that number is so impressive. Our labs are not “simulated” experiences — they are real cloud environments using accounts on A...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Joe Nemer
Joe Nemer
— June 19, 2020

Kickstart Your Tech Training With a Free Week on Cloud Academy

Are you looking to make a jump in your technical career? Want to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Kubernetes, Python, or another in-demand skill? Then you'll want to mark your calendar. Starting Monday, June 22 at 12:00 a.m. PDT (3:00 a.m. EDT), ...

Read more
  • AWS
  • Azure
  • cloud academy content
  • complimentary access
  • GCP
  • on the house
Alisha Reyes
Alisha Reyes
— June 11, 2020

New Content: AZ-500 and AZ-400 Updates, 3 Google Professional Exam Preps, Practical ML Learning Path, C# Programming, and More

This month, our Content Team released tons of new content and labs in real cloud environments. Not only that, but we introduced our very first highly interactive "Office Hours" webinar. This webinar, Acing the AWS Solutions Architect Associate Certification, started with a quick overvie...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Rebecca Willis
Rebecca Willis
— June 3, 2020

Azure vs. AWS: Which Certification Provides the Brighter Future?

More and more companies are using cloud services, prompting more and more people to switch their current IT position to something cloud-related. The problem is most people only have that much time after work to learn new technologies, and there are plenty of cloud services that you can ...

Read more
  • AWS
  • Azure
  • certification
Alisha Reyes
Alisha Reyes
— June 2, 2020

Blog Digest: 5 Reasons to Get AWS Certified, OWASP Top 10, Getting Started with VPCs, Top 10 Soft Skills, and More

Thank you for being a valued member of our community! We recently sent out a short survey to understand what type of content you would like us to add to Cloud Academy, and we want to thank everyone who gave us their input. If you would like to complete the survey, it's not too late. It ...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • OWASP
  • OWASP Top 10
  • Security
  • VPCs