Skip to content

VPC Security

Security Groups (SGs)

Definition
  • Virtual STATEFUL FWs (separate sets for inbound/outbound)
Default
  • ALLOW comms between all resources within the same SG
  • NO INBOUND IS ALLOWED
    • ALLOW all OUTBOUND traffic
    • DENY all other traffic
  • Can be altered, not deleted
DIRECTIONSRCPROTPORTINFO
INBOUNDsg-xxxALLALLallow all INBOUND from instances within SG
OUTBOUND0.0.0.0/0ALLALLallow all OUTBOUND
Rules
  • <= 500 SG in 1VPC
  • <= 50 inbound & <= 50 outbound rules in 1SG (for more, <=5 SG for each ENI)
  • You can specify
    • ALLOW, not DENY rules (main different from ACLs)
    • Separate rules for INBOUND/OUTBOUND
  • Are STATEFUL = responses to allowed inbound are allowed outbound & viceversa (!= from ACLs)
  • Instances associated with same SG cannot talk to each other unless you add rules allowing it (exception being the default SG)

ACLs

Definition
  • STATELESS FW on a SUBNET level
  • Numbered list of rules evaluated in order (starting from low number) to determine which traffic is allowed in/out subnet
  • Default deny (there's an immutable final deny rule that matches all)
  • Every subnet must be associated with ACL
Default
  • VPC created with modifiable default ACL associated with each subnet
  • ALLOW ALL inbound/outbound

SGs vs ACLs

SG ACL
INSTANCE level SUBNET level
ALLOW rules only ALLOW & DENY rules
STATEFUL (return traffic autom. allowed) STATELESS (return traffic must be explicitly allowed)
ALL rules evaluated BEFORE deciding to allow Rules processed in NUMBERED ORDER
Applied SELECTIVELY to individual instances AUTOM. APPLIED to ALL instances w/in a SUBNET (backup layer of defense)
To ALLOW specific traffic To DENY between subnets

Flow Logs

Use Cases
  • Enable to capture information about the traffic going to and from network interfaces in the VPC
  • Log data is stored using CloudWatch Logs
  • Flow logs can be created at 3 levels: VPC, subnet, network interface
Limitations
  • Not possible to enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
  • You cannot tag a flow log
  • After you've created a flow log, you cannot change its configuration (i.e., you cannot associate a different IAM role with the flow log)
Not all traffic is monitored
  • Traffic generated by instances when they contact the Amazon DNS server (DNS traffic is logged if you use your own DNS server)
  • Traffic generated by a Windows instance for Amazon Windows license activation
  • Traffic to and from 169.254.169.254 for instance metadata
  • DHCP traffic
  • Traffic to the reserved IP address for the default VPC router