Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are all the resources that can be associated with a security group in AWS?

Tags:

security

amazon-web-services

amazon-ec2

amazon-cloudfront

The AWS docs are almost useless when trying to describe an entire system. Is there any resource or compiled list of all the resources that can belong to a security group and the different types of security groups?

Here is what I have so far:

  • EC2-Classic instance
  • EC2-VPC instance
  • RDS
  • ElasticCache

Anything else I'm missing? Any really good doc resource I'm missing?

like image 879
Agam Rafaeli Avatar asked Apr 19 '15 12:04

Agam Rafaeli

3 Answers

The main concept to understand about an AWS Security Group is that it determines what traffic is permitted in/out of a resource on a virtual network.

Therefore, think about what can be launched "into" a virtual network:

  • Amazon EC2 instances

  • Services that launch EC2 instances:

    • AWS Elastic Beanstalk
    • Amazon Elastic MapReduce

  • Services that use EC2 instances (without appearing directly in the EC2 service):

    • Amazon RDS (Relational Database Service)
    • Amazon Redshift
    • Amazon ElastiCache
    • Amazon CloudSearch

  • Elastic Load Balancing

  • Lambda

Resources do not "belong" to a security group. Rather, one or more Security Groups are associated to a resource. This is often a difficult concept to understand since Security Groups have similar abilities to firewalls, and firewalls generally "encase" a number of devices. Rather than "belonging to", or "being encased by", a security group, the virtual network simply uses the definitions contained within a security group to determine what traffic to permit in/out of the resource.

For example, imagine two EC2 instances that are associated with a "Web" security group and the security group is configured to permit incoming traffic on port 80. While both instances are associated to the same security group, they cannot communicate with each other. This is because they do not "belong" to the security group, and are not "within" the security group. Rather, the security group definition is used to filter traffic in/out of the instances. The security group can, of course, be configured to permit incoming traffic from the security group itself (a self-reference), which really means that incoming traffic is permitted from any resource that is, itself, associated with the security group. (See, I told you that it's a difficult concept grasp!)

Also, a security group is not actually associated with an EC2 instance within a VPC. Rather, the security group is associated with the Elastic Network Interface (ENI) that is attached to an EC2 instance. Think of the ENI as a "network card" that links an instance to a VPC subnet. An instance can have multiple ENIs and can therefore connect to multiple subnets. Each ENI can have its own association with security groups. Thus, the actual security groups being used depends upon where the traffic is flow in/out of the instance, rather than actually being associated with the instance.

There are only two "types" of security groups:

  • EC2 Classic (the legacy network configuration)
  • EC2 VPC (the modern private network configuration)

Either type of security group can be associated with any other resource, as long as they are in the same network type (classic or VPC).

like image 163
John Rotenstein Avatar answered Oct 23 '22 14:10

John Rotenstein

A Lambda Function can also be associated with a Security Group. That might not have been the case in 2015, when the original answer was written.

like image 7
user3341808 Avatar answered Oct 23 '22 14:10

user3341808

Fargate tasks can also be assigned to security groups.

like image 3
mhvelplund Avatar answered Oct 23 '22 13:10

mhvelplund
Sign in to Comment

Related questions

Threat Posed by Man-in-the-Middle Attacks
How to change the aes-256 key after encryption?
Is it ok to use SHA1 hash of password as a salt when deriving encryption key and IV from password string?
How to add Report-To Content-Security-Policy directly in web.config
Is there anyway to avoid this security issue in Lua?
How to securely pass credit card information between pages in PHP
Should the function or the caller be responsible for input validation?
PHP secure user variable
What is the point of Code signing "Debug" or "Release" in XCode?
Generate secure random number uniformly over a range in Java
Why does Chrome hate self-signed certificates so much?
Your Connection is not private just in my websites (privacy Error) - Page Gets Stuck in Security Page [closed]
Spring Boot Security redirect after successful login - undefined
How to make php script delete itself (and includes dir) [duplicate]
Are these two functions overkill for sanitization?
What's the point of the Anti-Cross-Domain policy?
Secure ConnectionString in WinForm Applications
Can iOS really support AES 256?
Forcing app to use Apple Keyboard in iOS 8
Can I identify a hash algorithm based on the initial key and output hash?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!