AWS Security Group Management Considerations

Guidelines for managing AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Security Groups from the CloudGuard portal:

Example: A rule could allow IP address (the source) to reach the instances on TCP port 22 (the protocol and destination port).

  • AWS Security Group rules are permissive in nature. When multiple Security Groups are applied to an instance, the rules from each Security Group are effectively aggregated to create a larger set of rules.

  • In the case of internal referencing, an Administrator defines the Security Group as a source security group in the inbound security group rules. This enables additional instances to send traffic to instances in the source group.

Amazon VPCs and CloudGuard Service Functionality

A VPC is a virtual private cloud in Amazon Web Services, a private network that closely resembles classic virtual private networks (VPN). A VPC benefits from a scalable infrastructure. Protection of VPC subnet resources is achieved through the application of multiple security layers that contain security groups and network access control lists.

VPC can assign persistent private and multiple IP addresses to instances. This lets an Administrator to stop and start instances again and again without reassigning IP addresses. Network interfaces are defined independently and attached to specific instances.

An additional VPC feature is the power to change an instance’s Security Group membership on the fly. An instance can be switched to a different Security Group while it is running. Instances can also run on single-tenant hardware.

For more information, see the Amazon Virtual Private Cloud User Guide.

AWS Security Group Management Modes: Full Protection or Read-Only

In CloudGuard, Amazon AWS Security Groups can be managed in one of two modes: Full Protection or Read-Only. Full Protection provides the CloudGuard administrator with full control of AWS security policy definition, access leases, and the ability to interact with dynamic policy objects.

In Full Protection mode, an AWS Security Group can only be managed from CloudGuard. Attempts to change a security group from the AWS environment (such as the AWS console) are detected by CloudGuard and trigger a CloudGuard Tamper Protection message. CloudGuard overrides the change that is mad and reverts to the definition of the Security Group defined in CloudGuard.

In Read-Only mode, Security Groups are defined and modified in the AWS environment, but you can monitor changes in CloudGuard with alerts, and a full audits trail. Use this mode initially as you plan a transition from managing your cloud environment in AWS to managing it in CloudGuard. In addition, it is the recommended mode of operation for Security Groups that are automated/managed by other tools (such as AWS OpsWorks).

The following table summarizes the differences between Read-Only and Full Protection modes:


Policy Visualization

Alerts & Audits

Tamper Protection

Policy Editing

Access Leases


Full Protection

When a Security Group is switched to Full Protection mode, CloudGuard normalizes the rules in the group. Rules for IP address ranges that are fully included in the range of a different rule, and with the same ports are removed.

For example, the rule to allow inbound traffic on port 22 to address is fully included in the rule to allow inbound traffic on port 22 to the address range and would be removed.

More Links