Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS Security Group for RDS - Outbound rules

Tags:

amazon-web-services

amazon-ec2

aws-security-group

aws-rds

I have a security group assigned to an RDS instance which allows port 5432 traffic from our EC2 instances.

However, this security group has all outbound traffic enabled for all traffic for all IP's.

Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

like image 436
Manoj M J Avatar asked Nov 03 '16 07:11

Manoj M J

People also ask

Do security groups have outbound rules?

When you first create a security group, it has an outbound rule that allows all outbound traffic from the resource. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.

Does RDS need outbound rules?

Your DB will receive inbound requests through port 5432 from your EC2 instance, and RDS will respond back to your EC2 instance through the very same connection, no outbound rules need to be defined in this case at all. Save this answer.

Which security group is used by AWS RDS?

Amazon RDS allows you to control access to your DB instances using database security groups (DB security groups). A DB security group acts like a firewall controlling network access to your DB instance. By default, network access is turned off for your DB instances.

Does Amazon RDS use security groups?

Amazon RDS security groups enable you to manage network access to your Amazon RDS instances. With security groups, you specify sets of IP addresses using CIDR notation, and only network traffic originating from these addresses is recognized by your Amazon RDS instance.

1 Answers

What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

It is a good idea to have a clear control over outbound connections as well.

In your RDS group: delete all outbound rules (by default, there is rule that allows outbound connections to all ports and IP's -> just delete this "all-anywhere" rule).

Your DB will receive inbound requests through port 5432 from your EC2 instance, and RDS will respond back to your EC2 instance through the very same connection, no outbound rules need to be defined in this case at all.

like image 166
Boris Krassi Avatar answered Oct 16 '22 16:10

Boris Krassi
Sign in to Comment

Related questions

Looking up Editions of a Book
Benefits of migrating from MySQL to Oracle for Amazon RDS. Worth it? [A: no]
How to download an EC2 X.509 certificate with an IAM User account?
How to upload to S3 with Pause/Resume support?
Open Source Equivalent of AWS Flow Framework [closed]
How can I create an IAM policy to restrict permissions to billing/payment management?
AWS S3 Glacier - Programmatically Initiate Restore
How to deploy node.js application in AWS
Amazon AWS S3 IAM Policy based on namespace or tag
Add or remove an entry from a List type attribute in a DynamoDB table item
How to scale horizontally Amazon RDS instance?
Is possible to connect to RDS Oracle DB instance with SQL developer?
AWS S3 gracefully handle 403 after getSignedUrl expired
Restrict services/apps to run in a particular Amazon ECS instance
Amazon SQS: The same message is consumed by two current consumers
How to (properly) use external credentials in an AWS Lambda function?
How can I work around "Too many redirects error" when trying to direct all web traffic to https with ec2 apache2 ubuntu?
Accessing Error log in shiny-server deployed on AWS instance
ServerSelectionTimeoutError when connecting to aws with pymongo
How to use Application Load Balancer for an ECS Service with multiple port mappings?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!