Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I use AWS security groups to whitelist only certain EC2 instances?

Tags:

amazon-ec2

My understanding of AWS Security Groups is that it is essentially a whitelist.

Everything is blocked unless explicitly allowed.

Let's say hypothetically that I have some EC2 instances setup with autoscaling.

In the context of autoscaling, I won't necessarily know what those future IP's will be.

Say I have a set of EC2 instances that are used for databases like mysql or mongodb.

I want to only allow my application servers to be able to access my database servers.

Is there a way to create a tag for an EC2 instance and per the security group, allow any EC2 instance with a certain tag?

How is this usually done in the real world?

Thanks in advance

like image 601
john Avatar asked Aug 06 '12 04:08

john

People also ask

Can I restrict the access of IAM users to specific Amazon EC2 resources?

Most essential Amazon EC2 actions don't support resource-level permissions or conditions, and isolating IAM users or groups of user's access to Amazon EC2 resources by any criteria other than AWS Region doesn't fit most use cases. Instead, consider linking multiple different AWS accounts through AWS Organizations.

How do I restrict a security group in AWS?

Sign in to the AWS Management Console using the Firewall Manager administrator account, then navigate to Firewall Manager in the Console and choose Security policies. Specify the correct AWS Region your policy should be deployed to, and then choose Create policy.

What function do security groups serve concerning Amazon EC2 instance security?

A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance.

1 Answers

Looks like you can use security groups as classifiers and use the security group 'id' for the 'Source' field.

For example:

Say you had a cluster of web servers who belong to a 'web' security group (sg-12345)

Say you had a cluster of database servers who belong to a 'db' security group (sg-23456)

You can have the 'db' security group allow port 3306 to sg-12345 and as long as new instances are brought up in the 'web' security group, they'll have access to 'db' on the port 3306

like image 99
john Avatar answered Sep 28 '22 02:09

john
Sign in to Comment

Related questions

Can't browse to my EC2 Instance [closed]
Cloud-front backed with Nginx (which proxies to S3) randomly missing already cached items?
performance of NumPy with different BLAS implementations
How to calculate hours/month usage on Amazon RDS and Pricing?
connecting ec2 instance through filezilla [closed]
How should secret files be pushed to an EC2 Ruby on Rails application using amazon web services with their elastic beanstalk?
Amazon SDK - Temporary Credentials and AssumeRoleRequest
KVM not working with EC2 C5.large
Amazon Linux vs Red Hat Linux [closed]
ec2 server postgres error "version `GLIBC_2.14' not found"
aws cli copy between S3 regions on EC2
Scalability 101: How can I design a scalable web application using PHP?
Sql Server JDBC Connection Reset Error : Only on Amazon EC2
Fake EC2 endpoint for testing
Building Erlang applications for the cloud
Give an instance only access to tag itself?
AWS Load Balancer EC2 health check request timed out failure

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!