This article, Amazon EC2 Security Groups Exam Tips, covers core security elements for protecting your EC2 infrastructure in the AWS cloud.  A security group enables you to protect your resource in the AWS cloud by acting as a virtual firewall.  When you launch instances, you can associate one or more security groups to the instance and add rules which explicitly allow traffic to and from the instance.  Each security group can be associated with multiple instances.  Security Groups and Network Access Control Lists enable you to protect your AWS environment and is a key topic to study for the AWS Certified Solutions Architect Exam.

Rules can be modified to meet changes in your requirement and new rules are automatically applied to all instances associated with a security group. When determining if traffic is allowed to or from a particular instance, all security groups associated with that instance are evaluated.

Key Exam Tips

  • All outbound traffic is allowed by default
  • All inbound traffic is denied by default
  • Rules configured on a security group are applied immediately.
  • You can only allow traffic on various ports and protocols for inbound and outbound traffic. You can not explicitly deny a rule.
  • Security Groups are STATEFUL, which means that if you enable an inbound rule on a particular protocol or port, a response will be allowed on that same port/protocol. Thus you do not need to specify a particular outbound rule to respond to any inbound rules. However, you should note if an instance (Host A) initiates traffic to another host (host B) and uses a protocol other than TCP, UDP or ICMP, your instance’s firewall will only track the IP Address and Protocol number to allow a responsive traffic back from host B.  If the same host B initiates traffic to the original host in a separate request within 600 seconds of the original request/response, your instances will accept it regardless of inbound security group rules as it is regarded as a response traffic.This may be a security worry and so you can control this by modifying your security group’s outbound rules to permit only certain types of outbound traffic.  Network ACLS for your subnet can also be configured and these are stateless meaning they do not automatically allow response traffic. So in summary:
    • Security Groups are Stateful
    • Network Access Control Lists are Stateless
  • If there is more than one rule for a specific port, the most permissive rule is applied

 

Connection Tracking

Security groups track information about traffic to and from the instance. Rules are applied based on the connection state of the traffic to determine if the traffic is allowed or denied. This allows security groups to be stateful — responses to inbound traffic are allowed to flow out of the instance regardless of outbound security group rules.  Following additional key points to note are

  • Not all traffic is tracked. If a security group permits TCP or UDP flows for all traffic (0.0.0.0/0) and there is a corresponding rule in the other direction, then that flow is not tracked
  • Existing flows of traffic that are tracked may not get interrupted if you change the security group rule that allows the traffic unless you stop the flow for a few minutes or for up to 5 days of established TCP connection. However, an untracked flow of traffic is immediately interrupted if the rule that enables the flow is removed or modified.  Also, for UDP, this may require terminating actions on the remote side of the flow.  Here again, you can choose to use Network ACLs for your subnet which is STATELESS and you do not allow automatic response traffic.

 

Default Security Groups

When you set up your AWS account, you have a default security group per region. In addition, for VPCs, default security groups exist which can be used when you launch instances. These are standard security groups which can be associated with instances depending on the type of instance you launch. For example, you launch a standard Windows Server base server, the default security which allows RDP access on port 3389 can be associated with the instance.

Key rules enabled by default security groups:

  • Allow inbound traffic only from other instances associated with the default security group
  • Allow all outbound traffic from the instance

Custom Security Groups

You can create your own security groups and specify them when you launch your instances. The following are the initial settings for a security group that you create:

  • Allow no inbound traffic
  • Allow all outbound traffic

180 Practice Exam Questions – Get Prepared for your Exam Day!

Our Exam Simulator with 180 practice exam questions comes with comprehensive explanations that will help you prepare for one of the most sought-after IT Certifications of the year.  Register Today and start preparing for your AWS Certified Solutions Architect – Associate Exam