AWS Security Groups and Network ACLs
AWS Security Groups and Network ACLs
Amazon Web Services provides multiple firewall mechanisms, with Security Groups serving as the primary method for controlling traffic to EC2 instances hosting web servers. Security Groups act as virtual firewalls operating at the instance level, providing stateful packet filtering based on rules you define.
Configuring Security Groups for web servers:
# Create a security group for web servers
aws ec2 create-security-group \
--group-name web-server-sg \
--description "Security group for web servers" \
--vpc-id vpc-12345678
# Allow HTTPS from anywhere
aws ec2 authorize-security-group-ingress \
--group-id sg-903004f8 \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
# Allow HTTP from anywhere
aws ec2 authorize-security-group-ingress \
--group-id sg-903004f8 \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
# Allow SSH from specific IP range
aws ec2 authorize-security-group-ingress \
--group-id sg-903004f8 \
--protocol tcp \
--port 22 \
--cidr 10.0.0.0/8
Security Groups are stateful, automatically allowing return traffic for established connections. This simplifies rule management but requires understanding the implications. For example, allowing outbound HTTPS (port 443) permits the response traffic without explicit inbound rules.
Network ACLs provide an additional layer of security at the subnet level:
# Create custom Network ACL
aws ec2 create-network-acl --vpc-id vpc-12345678
# Add rules (note: NACLs are stateless, require explicit in/out rules)
# Inbound HTTPS
aws ec2 create-network-acl-entry \
--network-acl-id acl-5fb85d36 \
--rule-number 100 \
--protocol tcp \
--rule-action allow \
--ingress \
--port-range From=443,To=443 \
--cidr-block 0.0.0.0/0
# Outbound HTTPS response (ephemeral ports)
aws ec2 create-network-acl-entry \
--network-acl-id acl-5fb85d36 \
--rule-number 100 \
--protocol tcp \
--rule-action allow \
--egress \
--port-range From=1024,To=65535 \
--cidr-block 0.0.0.0/0