Security Group
Security Groups act as virtual firewalls for EC2 instances, RDS databases, Lambda functions (VPC-connected), and other AWS resources. They control inbound and outbound traffic based on defined rules.
β
Key Characteristics of Security Groups
β Stateful: If an inbound rule allows traffic, the response is automatically allowed. β Default Deny: All inbound traffic is denied unless explicitly allowed. β Instance-Level Security: Rules apply at the instance level, not the subnet level. β Supports Allow Rules Only: No explicit deny rules like Network ACLs.
π Security Group Use Cases & Scenarios
1οΈβ£ Web Server Access (Public-Facing Application)
Use Case: SecureCart hosts a public e-commerce website that users access via HTTPS. β Allow HTTP (80) and HTTPS (443) from anywhere (0.0.0.0/0). β Allow SSH (22) access only from a trusted IP (e.g., SecureCartβs office network).
Security Group Rules:
Protocol
Port
Source
Purpose
HTTP
80
0.0.0.0/0
Allow public web traffic
HTTPS
443
0.0.0.0/0
Secure web traffic (TLS)
SSH
22
Trusted IP Only
Secure SSH administration
β Best Practice:
Never expose SSH (22) to 0.0.0.0/0; use trusted IPs or AWS Systems Manager Session Manager.
2οΈβ£ Database Access in Private Subnet
Use Case: SecureCart uses an RDS database in a private subnet that only backend applications should access. β Allow inbound traffic only from application instances within the VPC.
Security Group Rules:
Protocol
Port
Source
Purpose
MySQL/Aurora
3306
App Server SG
Allow DB connections from the app
PostgreSQL
5432
App Server SG
Allow DB connections from the app
β Best Practice:
Use Security Group references instead of IP-based rules to allow traffic between instances dynamically.
Do not expose database ports to the internet (0.0.0.0/0).
3οΈβ£ Secure API Gateway with AWS Lambda in a VPC
Use Case: SecureCart runs an API behind API Gateway, triggering a Lambda function that accesses a private RDS instance. β Ensure API Gateway cannot directly access the database. β Use security groups to allow Lambda-to-RDS communication.
Security Group Rules:
Resource
Allowed Traffic
Lambda Function
Outbound to RDS (3306/5432)
RDS Database
Inbound from Lambda SG (3306)
β Best Practice:
Minimize direct access to databases from the internet.
Use VPC Endpoints instead of public API access when possible.
4οΈβ£ Load Balancer Securing EC2 Instances
Use Case: SecureCart runs its application behind an Application Load Balancer (ALB). β Allow only traffic from the ALB to the EC2 instances. β Allow only the public-facing ALB to receive internet traffic.
Security Group Rules:
Resource
Protocol
Port
Source
Purpose
ALB (Public)
HTTP
80
0.0.0.0/0
Allow public traffic
ALB (Public)
HTTPS
443
0.0.0.0/0
Secure TLS traffic
App Server (Private)
HTTP
80
ALB SG
Only allow traffic from ALB
β Best Practice:
Restrict ALB access to specific trusted IPs if itβs an internal app.
Ensure backend instances accept only ALB traffic, not direct external access.
5οΈβ£ Secure Remote Access with Bastion Host
Use Case: SecureCartβs engineers need secure access to EC2 instances in private subnets. β Allow SSH only to a bastion host in a public subnet. β Allow private EC2 instances to accept SSH only from the bastion host.
Security Group Rules:
Resource
Protocol
Port
Source
Purpose
Bastion Host
SSH
22
Trusted IPs
Secure engineer access
Private EC2
SSH
22
Bastion Host SG
Allow only bastion access
β Best Practice:
Use AWS Session Manager instead of a bastion host for increased security.
If using a bastion, rotate SSH keys and enable MFA.
6οΈβ£ Secure Data Transfers with VPC Peering
Use Case: SecureCart has separate VPCs for e-commerce services and payment processing. β Secure cross-VPC communication using VPC peering and security groups.
Security Group Rules:
Resource
Protocol
Port
Source
Purpose
E-commerce App (VPC-1)
HTTPS
443
Payment Processing SG
Secure API calls to payments
Payment Processing (VPC-2)
HTTPS
443
E-commerce App SG
Secure response traffic
β Best Practice:
Use private DNS resolution for seamless inter-VPC communication.
Apply security group rules instead of opening entire subnets.
π Security Group Best Practices
β Follow the principle of least privilege β Allow only necessary traffic. β Use Security Group references instead of IP addresses when possible. β Regularly audit security groups for unused or overly permissive rules. β Enable AWS Network Firewall or AWS WAF to add an extra layer of protection.
π Common Mistakes
β Exposing SSH (22) or RDP (3389) to the internet β Use VPN or AWS Systems Manager Session Manager. β Overly broad security group rules (e.g., allowing 0.0.0.0/0) β Always restrict to necessary IPs. β Not reviewing security group changes β Implement AWS Config to track changes. β Assuming security groups replace NACLs β Use NACLs for subnet-level filtering and security groups for instance-level protection.
π Summary
π AWS Security Groups provide fine-grained control over inbound and outbound traffic at the instance level, ensuring workload security and compliance. β Use security groups with ALB to restrict backend instance traffic. β Lock down RDS to allow access only from application servers. β Secure VPC peering by limiting inter-VPC traffic with security groups. β Use AWS best practices to enforce strong security and prevent misconfigurations.
Would you like a step-by-step lab guide for implementing security groups in AWS? π
Last updated