VPC Security

Security Groups (SGs)¶

Definition

Virtual STATEFUL FWs
- Return traffic from an allowed inbound connection is automatically permitted to leave the instance
- Separate sets for inbound/outbound
Limits:
- Up to 2,500 SGs per region
- Up to 5 SGs per network interface
- 60 inbound and 60 outbound rules per SG

Default

DIRECTION	SRC	PROT	PORT	INFO
INBOUND	`sg-xxx`	`ALL`	`ALL`	allow all INBOUND from instances within SG
OUTBOUND	`0.0.0.0/0`	`ALL`	`ALL`	allow all OUTBOUND

Rules

You can specify
- ALLOW, not DENY rules (main different from ACLs)
- Separate rules for INBOUND/OUTBOUND
Are STATEFUL = responses to allowed inbound are allowed outbound & viceversa (!= from ACLs)
Instances associated with same SG cannot talk to each other unless you add rules allowing it (exception being the default SG)


Definition	STATELESS FW on a SUBNET level Return traffic must be explicitly allowed (or denied) via additional rules Numbered list of rules evaluated in order (starting from low number) to determine which traffic is allowed in/out subnet Default deny (there's an immutable final deny rule that matches all) Every subnet must be associated with ACL
Default	VPC created with modifiable default ACL associated with each subnet Default rules: Rule `100`: ALLOW all traffic from all protocols, all port ranges, from any source (ALLOW ALL inbound/outbound) Rule `*`: DENY all traffic from all protocols, all port ranges, from any source (basically useless given Rule `100`)
Rules	Rule Number: when a rule matches traffic, it is immediately applied independently of any higher-numbered rule that may contradict it Type: Custom TCP rule, Custom UDP rule, Custom ICMP rule, Custom Protocol Rule, ALL TCP, ALL UDP, ALL ICMP – IPv4, ALL ICMP – IPv6, ALL Traffic, or specific protocols Protocol: the IP protocol number for the packets you are referring in the rule Port Range Source (inbound rules only) or Destination (outbound rules only): the the IP address or range that is allowed or denied by the rule Allow/Deny

SG	ACL
INSTANCE level (attached to ENI)	SUBNET level (attached to Subnet)
ALLOW rules only	ALLOW & DENY rules
STATEFUL (return traffic autom. allowed)	STATELESS (return traffic must be explicitly allowed)
ALL rules evaluated BEFORE deciding to allow	Rules processed in NUMBERED ORDER
Applied SELECTIVELY to individual instances	AUTOM. APPLIED to ALL instances w/in a SUBNET (backup layer of defense)
To ALLOW specific traffic	To DENY between subnets


Use Cases	Enable to capture information about the traffic going to and from network interfaces in the VPC Log data is stored using CloudWatch Logs Flow logs can be created at 3 levels: VPC, subnet, network interface
Limitations	Not possible to enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account You cannot tag a flow log After you've created a flow log, you cannot change its configuration (i.e., you cannot associate a different IAM role with the flow log)
Not all traffic is monitored	Traffic generated by instances when they contact the Amazon DNS server (DNS traffic is logged if you use your own DNS server) Traffic generated by a Windows instance for Amazon Windows license activation Traffic to and from 169.254.169.254 for instance metadata DHCP traffic Traffic to the reserved IP address for the default VPC router

Flow Log Format

<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport>
<protocol> <packets> <bytes> <start> <end> <action> <log-status>