AWS Security Group Management Considerations
Guidelines for managing AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Security Groups from the CloudGuard portal:
-
When a server instance is launched in AWS, a security group association is assumed. If the Administrator does not assign a security group to a new instance, it is placed in the default security group and uses its policy settings.
-
AWS instances belong to one of two supported security group types: EC2 Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers.-Classic or EC2-VPC. An AWS account can launch instances into both EC2-Classic and EC2-VPC, or only into EC2-VPC by region.
-
Security Group A set of access control rules that acts as a virtual firewall for your virtual machine instances to control incoming and outgoing traffic. rule definitions let specific sources reach an AWS instance using a specific protocol. Inbound rules identify the sources that can reach an instance with a given protocol (TCP protocol, UDP, or ICMP) and destination port.
Example: A rule could allow IP address 203.0.113.1
(the source) to reach the instances on TCP port 22 (the protocol and destination port).
-
AWS Security Group rules are permissive in nature. When multiple Security Groups are applied to an instance, the rules from each Security Group are effectively aggregated to create a larger set of rules.
-
In the case of internal referencing, an Administrator defines the Security Group as a source security group in the inbound security group rules. This enables additional instances to send traffic to instances in the source group.
Amazon VPCs and CloudGuard Service Functionality
A VPC is a virtual private cloud in Amazon Web Services, a private network that closely resembles classic virtual private networks (VPN). A VPC benefits from a scalable infrastructure. Protection of VPC subnet resources is achieved through the application of multiple security layers that contain security groups and network access control lists.
VPC can assign persistent private and multiple IP addresses to instances. This lets an Administrator to stop and start instances again and again without reassigning IP addresses. Network interfaces are defined independently and attached to specific instances.
An additional VPC feature is the power to change an instance’s Security Group membership on the fly. An instance can be switched to a different Security Group while it is running. Instances can also run on single-tenant hardware.
For more information, see the Amazon Virtual Private Cloud User Guide.
AWS Security Group Management Modes: Full Protection or Read-Only
In CloudGuard, Amazon AWS Security Groups can be managed in one of two modes: Full Protection or Read-Only. Full Protection provides the CloudGuard administrator with full control of AWS security policy definition, access leases, and the ability to interact with dynamic policy objects.
In Full Protection mode, an AWS Security Group can only be managed from CloudGuard. Attempts to change a security group from the AWS environment (such as the AWS console) are detected by CloudGuard and trigger a CloudGuard Tamper Protection message. CloudGuard overrides the change that is mad and reverts to the definition of the Security Group defined in CloudGuard.
In Read-Only mode, Security Groups are defined and modified in the AWS environment, but you can monitor changes in CloudGuard with alerts, and a full audits trail. Use this mode initially as you plan a transition from managing your cloud environment in AWS to managing it in CloudGuard. In addition, it is the recommended mode of operation for Security Groups that are automated/managed by other tools (such as AWS OpsWorks).
The following table summarizes the differences between Read-Only and Full Protection modes:
Mode |
Policy Visualization |
Alerts & Audits |
Tamper Protection |
Policy Editing |
Access Leases |
---|---|---|---|---|---|
Monitor |
Yes |
Yes |
No |
No |
No |
Full Protection |
Yes |
Yes |
No |
No |
No |
When a Security Group is switched to Full Protection mode, CloudGuard normalizes the rules in the group. Rules for IP address ranges that are fully included in the range of a different rule, and with the same ports are removed.
For example, the rule to allow inbound traffic on port 22 to address 192.168.10.10
is fully included in the rule to allow inbound traffic on port 22 to the address range 192.168.0.0/16
and would be removed.
More Links