Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I use AWS security groups to whitelist only certain EC2 instances?

Tags:

amazon-ec2

My understanding of AWS Security Groups is that it is essentially a whitelist.

Everything is blocked unless explicitly allowed.

Let's say hypothetically that I have some EC2 instances setup with autoscaling.

In the context of autoscaling, I won't necessarily know what those future IP's will be.

Say I have a set of EC2 instances that are used for databases like mysql or mongodb.

I want to only allow my application servers to be able to access my database servers.

Is there a way to create a tag for an EC2 instance and per the security group, allow any EC2 instance with a certain tag?

How is this usually done in the real world?

Thanks in advance

like image 601
john Avatar asked Aug 06 '12 04:08

john


People also ask

Can I restrict the access of IAM users to specific Amazon EC2 resources?

Most essential Amazon EC2 actions don't support resource-level permissions or conditions, and isolating IAM users or groups of user's access to Amazon EC2 resources by any criteria other than AWS Region doesn't fit most use cases. Instead, consider linking multiple different AWS accounts through AWS Organizations.

How do I restrict a security group in AWS?

Sign in to the AWS Management Console using the Firewall Manager administrator account, then navigate to Firewall Manager in the Console and choose Security policies. Specify the correct AWS Region your policy should be deployed to, and then choose Create policy.

What function do security groups serve concerning Amazon EC2 instance security?

A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance.


1 Answers

Looks like you can use security groups as classifiers and use the security group 'id' for the 'Source' field.

For example:

Say you had a cluster of web servers who belong to a 'web' security group (sg-12345)

Say you had a cluster of database servers who belong to a 'db' security group (sg-23456)

You can have the 'db' security group allow port 3306 to sg-12345 and as long as new instances are brought up in the 'web' security group, they'll have access to 'db' on the port 3306

like image 99
john Avatar answered Sep 28 '22 02:09

john