Network Monitoring and Security Groups
Start course

Launching your EC2 instance is just the first step to becoming an AWS professional: securing your cloud resources is something you just can't ignore. In this course the experienced Linux System Administrator David Clinton will share some common best practices to enhance your infrastructure security.

You'll learn how to manage access to your instances with IAM and Multi Factor Authentication, how to encrypt your storage, how to keep your Linux instance updated with security patches, how to monitor your system and your network to ensure that nobody unauthorized is using your resources, and finally, the basic principles of penetration testing and how to use nmap to ensure that your security group is properly configured.

Who should take this course

This course is aimed even at beginners with little or no experience with cloud security. Some basic knowledge about Linux system administration, TCP/IP, and security topics are recommended.

To increase your knowledge, you may want to check our many AWS courses, in particular the ones introducing EC2 and S3. And why not take the challenge and try out a quiz?


Hi, and welcome to's video series on security and particularly in relation to AWS, instances.

In this video, we'll discuss managing network access or really controlling your network ports which are open, which are closed, which offer access to the outside world. We've already discussed in a previous video Amazon's security groups.

Let's briefly review what we saw already. Click on "EC2," click on "Launch Instance," select "a machine," an "AMI" or A-M-I. Configure the instance details down in the bottom right corner. And now configure security group.

That's option number six at the top. Let's give a name to this new security group. Say "name" that should set it apart from all the others. And let's assign some rules. We'll allow SSH connections, secure shell. SSH stands for secure shell using the TCP protocol. Amazon knows that SSH uses the TCP protocol through port 22, which is the default SSH port. And coming at this point from anywhere. You could actually choose to restrict access to only my IP or a custom IP but we'll leave it as anywhere for now. Add one more rule just for illustration. Let's add HTTP access that is web browser access. Again, Amazon knows that HTTP will access by default through port 80. And we again have the option of choosing what source IP addresses we will allow. Let's review and launch. And although this may not be the most secure security group that exists it may well work for our purposes. You should also know how to monitor your network configuration from inside your Amazon AWS instance from the command line. The primary tool you'll use to keep track of what's open and available, what's accessible to the outside world is "netstat." You of course should use netstat only as the root user or under sudo. Using netstat without any arguments will display all active sessions any number of categories. For our purposes right now this top entry tells us that the local port which is our local address is open to SSH activity. And right now there is a session coming from a DSL account. The foreign address, that is the origin of the SSH access to this account is listed under foreign address. Netstat with the argument numeric ports will deliver, rather than the name of the protocol SSH, it'll deliver it in a numeric format. Come back up and we see rather than as a local address followed by SSH, which is the protocol that was open and available, it actually displays it as 22 which is the port SSH we'll use to access an SSH session by default. You might by the way want to change the port SSH sessions are allowed to connect to, to some number a higher number 55,223 or something like that. That provides a level of security through obscurity. Whereas, any hacker knows that people are often going to come into a system by SSH through port 22. It takes a particularly lucky hacker to figure out that it's actually port number 55,223. That's an option that you have.

In the meantime though, netstat tells us that this port 22 is open and that it's accepting an SSH session currently from this address. Netstat with the argument "ntlp" will display all open ports, whether they're active or not. And it'll tell us a little more information about what's accessible through this open port. For instance under the port 22 which of course is the SSH port. It gives us an IP of What is the significance of that IP which obviously doesn't really exist? It's telling us that SSHD is listening on all network interfaces.

One other important tool that you can add to your netstat arsenal is "grep." Now of course the vertical line is achieved by hitting shift and backslash at the same time. And then following with grep. Grep will narrow down the output of the netstat command. In our case, because there are so few ports open and so little activity actually happening on this account it's not really that useful. But you could for instance single out if you had a lot of output you wanted to work through you might single out the word "listen." So that only those ports that are open for listening would actually display.

About the Author
Learning Paths

David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.

Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.

Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.

His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.