AWS Security Group Management Considerations

Guidelines for managing AWS Security Groups from the CloudGuard portal.

  • When a server instance is launched in AWS, a security group association is assumed. If the Administrator does not assign a security group to a new instance, it is placed in the default security group and uses its policy settings.

  • AWS instances belong to one of two supported security group types: EC2-Classic or EC2-VPC. An AWS account can launch instances into both EC2-Classic and EC2-VPC, or only into EC2-VPC, by region.

  • Security Group rule definitions let specific sources reach an AWS instance using a specific protocol. Inbound rules identify the sources that can reach an instance with a given protocol (TCP protocol, UDP, or ICMP) and destination port.

Example: A rule could allow IP address (the source) to reach the instances on TCP port 22 (the protocol and destination port).

  • AWS Security Group rules are permissive in nature. When multiple Security Groups are applied to an instance, the rules from each Security Group are effectively aggregated to create a larger set of rules.

  • In the case of internal referencing, an Administrator defines the Security Group as a source security group in the inbound security group rules. This enables additional instances to send traffic to instances within the source group.

Amazon VPCs and CloudGuard Service Functionality

A VPC is a virtual private cloud within Amazon Web Services, a private network that closely resembles classic virtual private networks (VPN). A VPC benefits from a scalable infrastructure. Protection of VPC subnet resources is achieved through the application of multiple security layers that contain security groups and network access control lists.

VPC benefits include the ability to assign persistent private and multiple IP addresses to instances. This lets an Administrator stop and start instances repeatedly without reassigning IP addresses. Network interfaces are defined independently, and attached to specific instances.

An additional VPC feature is the power to change an instance’s Security Group membership on the fly. An instance can be switched to a different Security Group while it is running. Instances can also run on single-tenant hardware.

For more information, see the Amazon Virtual Private Cloud User Guide.

AWS Security Group Management Modes: Full Protection or Read-Only

In CloudGuard, Amazon AWS Security Groups can be managed in one of two modes: Full Protection or Read-Only. Full Protection provides the CloudGuard administrator with full control of AWS security policy definition, access leases, and the ability to interact with dynamic policy objects.

In Full Protection mode, an AWS Security Group can only be managed from CloudGuard. Attempts to modify a security group from the AWS environment (such as the AWS console) will be detected by CloudGuard and will trigger a CloudGuard Tamper Protection message. CloudGuard will override the change that is made, and revert it back to the definition of the Security Group defined in CloudGuard.

In Read-Only mode, Security Groups are defined and modified in the AWS environment, but you can monitor changes in CloudGuard with alerts, and a full audits trail. Use this mode initially as you plan a transition from managing your cloud environment in AWS to managing it in CloudGuard. It is also the recommended mode of operation for Security Groups that are automated/managed by other tools (such as AWS OpsWorks).

The following table summarizes the differences between Read-Only and Full Protection modes:


Policy visualization

Alerts & Audits

Tamper Protection

Policy Editing

Access Leases


Full Protection

When a Security Group is switched to Full Protection mode, CloudGuard normalizes the rules in the group. Rules for IP address ranges that are fully included in the range of another rule, and with identical ports, will be removed.

For example, the rule to allow inbound traffic on port 22 to address is fully included in the rule to allow inbound traffic on port 22 to the address range, and would be removed.

See also: