Authorization Controls in AWS
The course is part of these learning paths
This course looks at some of the different methods that AWS implements to authorize access within your AWS account, whether this is a user requiring access to an AWS service, or a network packet trying to reach its destination.
- Learn how authorization is granted when working within your AWS account
- Understand how S3 handles its own authorization mechanisms
- Use network access control lists to authorize network packets to enter and leave different parts of your VPC
- Learn how AWS security groups provide security at the protocol and port access level
- AWS Administrators
- Security Engineers
- Security Architects
- Anyone looking to increase their knowledge of security and how authorization is governed within AWS
To get the most out of this course you should have a basic understanding of AWS IAM, Amazon S3, VPCs, and EC2, but this is not essential.
AWS security groups are associated with EC2 instances, and provide security at the protocol and port access level, much like Network Access Control Lists (NACLs), and as a result, they also work much the same way. Containing a set of rules that filter traffic coming into and out of an EC2 instance, authorizing which communication can occur between instances. However, unlike NACLs, with security groups, there isn't a Deny action for a rule. Instead, if there isn't a rule that explicitly permits a particular packet, it will simply be dropped. The rule set is made up of two rule sets, inbound and outbound.
Security groups are stateful, meaning you do not need the same rules for both inbound and outbound traffic for response traffic, unlike, NACLs, which are stateless. Therefore, any rule that authorizes traffic into an EC2 instance will allow any response to be returned without an explicit rule in the outbound ruleset.
Each rule is comprised of 8 fields:
- Name: As expected this allows you to add a name for the rule up to 255 characters in length
- Security Group Rule ID: This is automatically created and set a unique identifier for the security group rule
- IP Version: Here you can select which IP version that the security group apples to, V4 or V6
- Type: This dropdown list allows you to select common protocols like SSH, RDP, HTTP. You can also choose custom protocols.
- Protocol: This is typically grayed out, as it's covered by most type choices. However, if you create a custom rule, you can specify your protocol here
- Port range: This value will also usually be pre-filled, reflecting the default port range for your chosen protocol. However, there might be times when you prefer to use custom ports.
- Source: This can be a net or subnet range, a specific IP address, or another AWS security group. You can also leave access open to the entire internet using the Anywhere value.
- Description: This simply allows you to add a description for the rule itself
In this screenshot, we can clearly see that authorization is permitted if the source IP address is 184.108.40.206/32 and is using SSH across TCP on port 22. Security groups are a great way to authorize the use of particular ports for communication, whilst restricting all other communication over denied ports.
For example, you could have a number of SQL RDS instances that you want to write to from a group of EC2 instances. In this case, you could create a security group for the SQL RDS instances and another security group for the EC2 instances. You could then authorize communication to happen over specified permitted ports, such as 1433 and 1434, used by SQL, between the two groups. All other communication will be dropped and denied, which in turn enhances security on your AWS infrastructure.
That now brings me to the end of this lecture and to the end of this course. You should now have a greater understanding of the different methods that AWS implements to authorize access within your AWS account.
If you have any feedback, positive or negative, please send an e-mail to firstname.lastname@example.org, your feedback is greatly appreciated.
Thank you for your time and good luck with your continued learning of cloud computing. Thank you.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.