Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Security Group for RDS - Outbound rules

I have a security group assigned to an RDS instance which allows port 5432 traffic from our EC2 instances.

However, this security group has all outbound traffic enabled for all traffic for all IP's.

Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

like image 436
Manoj M J Avatar asked Nov 03 '16 07:11

Manoj M J


People also ask

Do security groups have outbound rules?

When you first create a security group, it has an outbound rule that allows all outbound traffic from the resource. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.

Does RDS need outbound rules?

Your DB will receive inbound requests through port 5432 from your EC2 instance, and RDS will respond back to your EC2 instance through the very same connection, no outbound rules need to be defined in this case at all. Save this answer.

Which security group is used by AWS RDS?

Amazon RDS allows you to control access to your DB instances using database security groups (DB security groups). A DB security group acts like a firewall controlling network access to your DB instance. By default, network access is turned off for your DB instances.

Does Amazon RDS use security groups?

Amazon RDS security groups enable you to manage network access to your Amazon RDS instances. With security groups, you specify sets of IP addresses using CIDR notation, and only network traffic originating from these addresses is recognized by your Amazon RDS instance.


1 Answers

What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

It is a good idea to have a clear control over outbound connections as well.

In your RDS group: delete all outbound rules (by default, there is rule that allows outbound connections to all ports and IP's -> just delete this "all-anywhere" rule).

Your DB will receive inbound requests through port 5432 from your EC2 instance, and RDS will respond back to your EC2 instance through the very same connection, no outbound rules need to be defined in this case at all.

like image 166
Boris Krassi Avatar answered Oct 16 '22 16:10

Boris Krassi