AWS Security Groups
This section describes how to create and modify AWS Security Groups in the CloudGuard console. The account for which the Security Groups are created must be in Full Protection mode (this allows Security Groups to be managed by CloudGuard instead of on the AWS console)
You can create a new AWS Security Group for a VPC (your account must be Full-Protection in order to do this).
Navigate to Network Security in the CloudGuard console, and select Security Groups.
In the filter pane on the left, select AWS accounts.
Press opposite the account for which you wish to add a Security Group.
Enter the name of the new security group, and a description, and then press ADD
Add Inbound and Outbound Services to the group
Add tags to the service (this allows it to be searched):
You can modify details for Security Groups (the Security Group must be in Full Protection mode to do this)
You can clone an existing Security Group to make a copy of it. The copy will have the same definitions (services, etc). You can choose to apply the new Security Group to the same VPC, or to another.
Click on the link for the AWS Security Group you wish to clone, and then click on
Enter a name and description for the new Security Group. If it will be assigned to different VPCs, select Other VPCs
Select the Account, Region, and VPC, from the lists, and then press ADD, to assign the Security Group to a VPC. You can assign it to more than one VPC.
You can change the protection mode for each AWS Security Group (independently) to Full Protection (you can also switch it to Read-Only). In this mode, you will be able to make changes to the Security Group only in the CloudGuard Console, and not on in the AWS console. Any changes made in the AWS console, or elsewhere, will be detected by CloudGuard and reverted to the definition in CloudGuard
You can set a Security Group to Full Protection mode only if the AWS account is managed by CloudGuard in Full Protection mode. If the account is managed as Read-Only, you can update it to Full Protection.
Navigate to the Security Groups page. This shows a list of the Security Groups in your AWS accounts.
Click on the Security Group to which you wish to apply Full Protection.
Move the switch in the upper right to enable Full Protection
Click ENABLE to confirm.
You can do this also in the Cloud Accounts page.
Navigate to the Cloud Accounts page, This shows a list of your cloud accounts on all cloud providers and, for each, a summary of the assets, including Security Groups.
Click on the account containing the Security Group that you wish to change to Full Protection. This will show a list of the cloud assets for the selected account, organized by region.
Note: the account must be in Full Protection mode in order to change one of its Security Groups to Full Protection.
Click for the region containing the Security Group. This shows a summary of the VPCs and Security Groups in the region, organized by VPC. The upper part shows the operation modeCloudGuard will apply to new Security Groups that are detected. You can select one of the following options:
new Security Groups will be included in CloudGuard in Read-Only mode, without changes to any of the rules
new Security Groups will be included in CloudGuard; in Full Protection mode, without changes to any of the rules
new Security Groups will be included in CloudGuard; in Full Protection mode, and all inbound and outbound rules will be cleared
Below this the Security Groups for the VPCs in the region are listed and, for each, the operation mode.
Click Full Protection (CloudGuard; managed) for the Security Groups you wish to change to Full Protection, or Read-Only (Monitor mode) for those you wish to change to Read-Only, and the click SAVE.
As part of the process of switching the Security Group to Full Protetion mode, CloudGuard; will normalize the rules in the group. Rules for IP address ranges that are fully included in the range of another rule, for the same port, will be removed.
For example, the rule to allow inbound traffic on port 22 to address 192.168.10.10 is fully included in the rule to allow inbound traffic on port 22 to the address range 192.168.0.0/16, and would be removed.
Note: click select entire region for one of the operation modes to select this for all Security Groups in the region.
You can also change the protection mode of Security Groups using the CloudGuard; API (v2). For details, see Dome9 API.