AWS Security Groups


This section describes how to create and change AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Security Groups in the CloudGuard console. The account for which the Security Groups are created must be in Full Protection mode (this allows Security Groups to be managed by CloudGuard as an alternative to the AWS console).

You can create a new AWS Security GroupClosed A set of access control rules that acts as a virtual firewall for your virtual machine instances to control incoming and outgoing traffic. for a VPC (your account must be Full-Protection to do this).

  1. In the CloudGuard portal, navigate to Network Security > Policy > Security Groups.

  2. In the filter field, select AWS accounts.

  3. To add an account to a Security Group, click the icon opposite the account.

  4. Enter a name and description for the new security group and click Add.

  5. Add Inbound and Outbound Services to the group.

    1. Select the details for the Service.

    2. In addition, set the Port Behavior as Open or Limited. For Limited behavior, add the source IP addresses to be accepted as individual IP addresses, IP Lists, or a different AWS Security Group.

    3. Click Create Service.

  6. Add tags to the service, which allows it to be searched. Enter a Key (name) and a Value for the tag, then click Create.

You can change details for Security Groups (the Security Group must be in Full Protection mode to allow this).

  1. Click the link for the AWS Security Group you want to change.

  2. Click to add a new service (inbound or outbound), Edit to change details for a service in the Security Group, or Delete to delete it.

  3. You can change the name and description of the service. You can add sources to the services.

You can clone an existing Security Group to make a copy of it. The copy has the same configurations (services, and more). You can select to apply the new Security Group to the same VPC, or a different one.

  1. Click the link for the AWS Security Group to clone, and then click Clone.

  2. Enter a name and description for the new Security Group. If it necessary to associate it with different VPCs, select Other VPCs.

  3. Select the Account, Region, and VPC from the lists, and then click Add to associate the Security Group with a VPC. You can associate it with more than one VPC.

You can change the protection mode for each AWS Security Group (independently) to Full Protection (or change it to Read-Only). In this mode, you can make changes to the Security Group only in the CloudGuard Console, and not on in the AWS console. Any changes made in the AWS console, or elsewhere, are found by CloudGuard and reverted to the definition in CloudGuard

You can set a Security Group to Full Protection mode only if the AWS account is managed by CloudGuard in Full Protection mode. If the account is managed as Read-Only, you can update it to Full Protection.

  1. Navigate to the Security Groups page. This shows a list of the Security Groups in your AWS environments.

  2. Click on the Security Group to which to apply Full Protection.

  3. Move the toggle in the top right to enable Full Protection.

  4. Click Switch to confirm.

In addition, you can do it on the Environments page, see below for more details.

You can select the Protection Mode that CloudGuard applies to new security groups detected in accounts. CloudGuard defines and applies Security Groups in AWS for each region separately.

You can select from these options:

  • Read-Only - CloudGuard includes new Security Groups in Read-Only mode, without changes to the rules

  • Full Protection - CloudGuard includes new Security Groups in Full Protection mode, without changes to the rules

  • Region Lock - CloudGuard includes new Security Groups in Full Protection mode and clears all inbound and outbound rules

You can set or change the Protection Mode for existing Security Groups, in all regions, for all of your AWS accounts.

To set or change the Protection mode:

  1. Navigate to Assets > Environments and select an environment from the list. The Network tab shows the regions for the environment and the number of Security Groups defined for each region.

  2. Click one of the regions. This shows a list of the Security Groups defined for the region.

  3. Select the Protection mode to apply by default to new Security Groups in the region.

  4. Select the Protection mode for each of the existing Security Groups in the region. Click select entire region to apply the mode to all Security Groups in the region.

    Note - The account must have a CloudGuard-write-policy to apply Full Protection to a Security Group (see Setting an AWS Security Group to Full Protection).

  5. Click Save.