EC2 Security Groups

From the very beginning, Amazon AWS introduced a security concept called Security Groups in its Elastic Computing platform (EC2). Every virtual instance must be linked to one or more security groups when it is launched. A security group consists of a set of rules (called permissions) that describe who and how instances can be accessed. They allow to specify port ranges, protocols, and source IP address ranges, and are thus very close to firewall rules.

But security groups are even more powerful since they also allow to grant access to other security groups (instead IP address ranges), which allows dividing infrastructures into different security zones (like DMZ vs Critical Zone) with precise security policies and perimeters.

As far as I could see, there are three major functionalities missing with Security Groups:

  • rules can only restrict incoming traffic, not outgoing
  • lack of reporting (at least some logging)
  • lack of blacklisting to drop/reject malicious IP addresses

The first one (no rules for outgoing traffic) is important since it helps to avoid scenarios where someone wants to win control over a service that itself communicates to the outside. A solution could be the use of additional firewalls like iptables on every virtual instances. The second missing feature (access logs) would help to identify attackers that use port scanners – EC2 may detect and ban some of them, but there’s no information on the granularity of detection and a total lack of transparency for the EC2 customer. The third missing feature (blacklisting) would allow to identify IP addresses that showed malicious behaviour in a given zone (security group) and ban them for all other zones (security groups). This would allow to drown DDoS (Distributed Denial of Service) attacks quickly before the attack reaches other servers.

At the end, some remarks on another feature that is often cited as missing feature: the fact, that an instance cannot change its security groups after launch. I don’t think this should be changed: in terms of security, you should restrict network access before connecting to the network to ensure that there is no vulnerability hole before everything is up and working. In any case, you can simply relaunch your instance with a new security group with new rules.

2 thoughts on “EC2 Security Groups

    • Hi John,
      Thanks for your input. Could you tell us more about how it solves those 3 issues and how it integrates with Amazon EC2 ?

      /fred

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s