Amazon VPC provides three features that you can use to increase and monitor the security for your VPC:
• Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
• Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
• Flow logs — Capture information about the IP traffic going to and from network interfaces in your VPC
You can monitor the accepted and rejected IP traffic going to and from your instances by creating a flow log for a VPC, subnet, or individual network interface. Flow log data is published to CloudWatch Logs, and can help you diagnose overly restrictive or overly permissive security group and network ACL rules.
Amazon security groups and network ACLs don't filter traffic to or from link-local addresses
(169.254.0.0/16) or AWS-reserved addresses (the first four IP addresses and the last one in each
subnet). Similarly, flow logs do not capture IP traffic to or from these addresses.
These addresses support the services:
Domain Name Services (DNS),
Dynamic Host Configuration Protocol (DHCP),
Amazon EC2 instance metadata,
, Key Management Server (KMS—license management for Windows instances), and
routing in the subnet.
You can implement additional firewall solutions in your instances to block network communication with link-local addresses.
Comparison of Security Groups and Network ACLs:
64#
Security Groups for Your VPC:
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.
For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
65#
Security Group Basics
The following are the basic characteristics of security groups for your VPC:
• You can create up to 500 security groups per VPC.You can add up to 50 rules to each security group, and associate up to 5 security groups per network interface.
• You can specify allow rules, but not deny rules.
• You can specify separate rules for inbound and outbound traffic.
• By default, no inbound traffic is allowed until you add inbound rules to the security group.
• By default, an outbound rule allows all outbound traffic.You can remove the rule and add outbound rules that allow specific outbound traffic only.
• Security groups are stateful — responses to allowed inbound traffic are allowed to flow outbound
regardless of outbound rules, and vice versa. For more information, see Connection Tracking in the
Amazon EC2 User Guide for Linux Instances.
• Instances associated with a security group can't talk to each other unless you add rules allowing it
(exception: the default security group has these rules by default).
• Security groups are associated with network interfaces. After you launch an instance, you can change the security groups associated with the instance, which changes the security groups associated with the primary network interface (eth0).You can also change the security groups associated with any other network interface. For more information about network interfaces, see Elastic Network Interfaces (ENI).
Default Security Group for Your VPC
The following table describes the default rules for a default security group.
You can change the rules for the default security group. You can't delete a default security group.
• Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
• Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
• Flow logs — Capture information about the IP traffic going to and from network interfaces in your VPC
You can monitor the accepted and rejected IP traffic going to and from your instances by creating a flow log for a VPC, subnet, or individual network interface. Flow log data is published to CloudWatch Logs, and can help you diagnose overly restrictive or overly permissive security group and network ACL rules.
Amazon security groups and network ACLs don't filter traffic to or from link-local addresses
(169.254.0.0/16) or AWS-reserved addresses (the first four IP addresses and the last one in each
subnet). Similarly, flow logs do not capture IP traffic to or from these addresses.
These addresses support the services:
Domain Name Services (DNS),
Dynamic Host Configuration Protocol (DHCP),
Amazon EC2 instance metadata,
, Key Management Server (KMS—license management for Windows instances), and
routing in the subnet.
You can implement additional firewall solutions in your instances to block network communication with link-local addresses.
Comparison of Security Groups and Network ACLs:
64#
Security Groups for Your VPC:
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.
For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
65#
Security Group Basics
The following are the basic characteristics of security groups for your VPC:
• You can create up to 500 security groups per VPC.You can add up to 50 rules to each security group, and associate up to 5 security groups per network interface.
• You can specify allow rules, but not deny rules.
• You can specify separate rules for inbound and outbound traffic.
• By default, no inbound traffic is allowed until you add inbound rules to the security group.
• By default, an outbound rule allows all outbound traffic.You can remove the rule and add outbound rules that allow specific outbound traffic only.
• Security groups are stateful — responses to allowed inbound traffic are allowed to flow outbound
regardless of outbound rules, and vice versa. For more information, see Connection Tracking in the
Amazon EC2 User Guide for Linux Instances.
• Instances associated with a security group can't talk to each other unless you add rules allowing it
(exception: the default security group has these rules by default).
• Security groups are associated with network interfaces. After you launch an instance, you can change the security groups associated with the instance, which changes the security groups associated with the primary network interface (eth0).You can also change the security groups associated with any other network interface. For more information about network interfaces, see Elastic Network Interfaces (ENI).
Default Security Group for Your VPC
The following table describes the default rules for a default security group.
You can change the rules for the default security group. You can't delete a default security group.
very informative blog and useful article thank you for sharing with us , keep posting
ReplyDeletelearn more about aws
AWS Online Training