1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. How to Move Your Website to AWS with PHP, MySQL, and Apache

Configuring a Security Group

Start course

The combination of Linux, Apache, MySQL, and Python or PHP (LAMP) is one of the most common software stacks for web servers, even for high-end web applications. In this course, the experienced sysadmin David Clinton will teach you how to install and configure a LAMP stack on AWS EC2 and RDS, also discussing security issues and selecting the right instance type for your application.

This course will cover all the steps in the process: from creating an instance to building a website-hosting LAMP stack. You'll find everything you need to configure your webserver using EC2 (Elastic Cloud Compute) and RDS (Amazon Relational Database) to power your MySQL instance.

Who should take this course

This is a beginner course that aims to introduce basic AWS concepts to anyone looking for a quick guide to building a web server in the AWS cloud. We'll take you through all the basic steps, from configuring your Linux installation to using Amazon RDS to take advantage of AWS scalability.

You should have some basic Linux knowledge. If you are new to Amazon Web Services, why not watch our AWS Basics course or some of the other introductory courses to the common AWS services, like Amazon RDS

And feel free to test your knowledge on the basic topics covered in this course by taking a quiz.

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


Hi. In this video, we're going to talk about a critically important task, when starting up or managing your EC2 instance, of choosing and properly configuring a security group. Let's launch an instance.

Again, in this series, we're working with Ubuntu, so we'll work with Ubuntu 1404 server. And across the top, we see the tasks we have to perform. We've chosen an AMI. We are now, at least we could now choose an instance type. We're not going to worry about now. We will then configure the instance, add storage if necessary, create a tag to identify this instance to make it easier to recognize from a long list. But for purposes now, we're going to click on configure security group. There are two main options. These radio buttons allow us to either create a new security group or select an existing security group. Let's first look at select an existing security group. These are three default options that Amazon provides you with. Let's look at the third, open ports.

We'll click on the open ports box, and we will see that there are five rules that have been defined as part of this group.

The first is SSH. That is the ability to log in in a text console to your instance through the Linux based facility of SSH.

It uses port 22, and at this point, any source IP address is allowed. will allow any to send traffic using SSH into our instance.

That's not as insecure as it may sound, because anybody who comes in will either need an authenticating password or a valid key pair. If that's not there, they're not coming in anyway. This security group also allows traffic from HTTP, which is hyper text transfer protocol, or better known as the web browsing protocol. If you want people, from anywhere in the internet, to have access to your instance via a web browser, this is the protocol you'll need to open up, and it uses port 80. HTTPS is also open, that is hyper text transfer protocol secure. That uses port 443 and also it allows traffic in this configuration from, that is from anywhere on the internet. That's an example of a pre-existing default group we could choose. We might also choose however, to create our new security group. Amazon offers us a very appropriate warning that leaving, meaning leaving your instance open to any traffic from anywhere on the internet, could be a security vulnerability. So be very careful how you define your rules. We currently have the SSH rule, which is pretty much critical.

If you have a Linux-based Amazon instance, and you don't have SSH open, then you're not going to be able to do anything with it. So that's got to be there. Let's add a new rule. We click on custom TCP rule, which is just a drop down box, or in this case, a drop up box, that will introduce us to all the pre-set rules that we could choose. Let's choose HTTPS, the secure hyper text transfer protocol. And again, it's given us port 443 and has opened us up to traffic from anywhere on the internet. Let's add another rule, which is important for our type of installation, a Lamp installation. Add a new rule. Click on the drop up box, and choose MySQL.

You'll remember that MySQL, of course, is the database software that we're using in our lamp installation. Here, Amazon knows that MySQL uses port 3306, and its given us an empty box to choose where we want the traffic coming from. We can choose a custom IP, that is to type in any specific IP address that, if we want to restrict access to only data coming from this source, we can set that now. You can type in a random address, and I just hope there isn't any real address on the internet that corresponds to these numbers. But it's entirely an accident if there happens to be one. That's for its net mask. And I could choose therefore, to restrict all MySQL traffic to only that traffic which comes from that source, or I could allow traffic to come from anywhere, or from my current IP. That's another option that Amazon allows. We now have a rule that will permit traffic to our MySQL database, from anywhere on the internet.

We can, of course, set our own authentication restrictions within MySQL, or perhaps the browser level. But the rule now exists to open up MySQL to traffic from the internet. Let's now give this security group a name. Let's call it Lamp Group. And a description, that is security protocols for lamp installation. At which will, of course, make it easier for us to find it from among a large list of security groups, and therefore, we might be able to use this particular security group on some other instances we may launch later. And we're basically done.

Make sure that you've included all the configuration details in the other windows from this instance, and then click on the blue review and launch, and you're on your way. And potentially, at least if we've done this correctly, we're quite secure.

In this video, we've briefly explored the user friendly tools that Amazon has provided us to create secure and appropriate security rules.

We hope to see you next time.

About the Author
David Clinton
Linux SysAdmin
Learning Paths

David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.

Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.

Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.

His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.