AWS Security groups are a perfect way to manage security, they provide a powerful firewall. However there are some basics rules you need to follow. By not implementing strict security controls, the security of an entire application may be compromised.
Contents
1) Create a default AWS security group for your new instances
When you create a new instance through salt, it requires that you specify a default security group. In order to avoid any security breach, create a default group that only allows ssh
2) Create a group for your different types of application
Groups of application are usually using the same ports. For example, if you are running multiple web servers, they will most likely use the ports 80/443. Create a security group named “web servers” and apply it to all your instances of this type.
3) Create a base AWS security group
Since you can apply multiple security groups to an instance, why not having different level of security group. Create a base security group containing all your basics rules you need (ssh or rpc, etc), and then apply a different security group depending on your application
4) Create generic groups for back-end and front-end
Usually back-end services aren’t accessible from outside compared to front-end services. Make sure to create a base group for those 2.
5) Don’t neglect outbound rules
Usually, people tend to allow everything in outbound. However, you aren’t protected from a malicious services. You need to list the external services you need to access and forbid every other ports. In most of the cases, you will just need: ssh, http(s), ftp, ntp, dns and vpn.
6) For an exception, create a new group
Sometimes, we need to create some exceptions for specific services. However, instead of updating an existing group and affecting every members of this group (and loose in security), you should create a dedicated group for this instance’s exceptions and apply to the instance in addition of the others security groups.
Conclusion
In conclusion, AWS security groups are a powerful tool to manage security for your cloud-based applications. By implementing strict security controls, you can ensure that your applications are protected from malicious attacks. Creating default security groups, application-specific groups, base groups, and generic groups for back-end and front-end services can help you organize your security groups and ensure that they are tailored to your specific needs.
In addition, it’s important to not neglect outbound rules, and to only allow access to the external services you need. And in cases where you need to create exceptions for specific instances, it’s best to create a new dedicated group for that instance, rather than updating an existing group and potentially compromising the security of other instances. By following these basic rules, you can help ensure the security of your AWS cloud-based applications.
About TrackIt
TrackIt is an international AWS cloud consulting, systems integration, and software development firm headquartered in Marina del Rey, CA.
We have built our reputation on helping media companies architect and implement cost-effective, reliable, and scalable Media & Entertainment workflows in the cloud. These include streaming and on-demand video solutions, media asset management, and archiving, incorporating the latest AI technology to build bespoke media solutions tailored to customer requirements.
Cloud-native software development is at the foundation of what we do. We specialize in Application Modernization, Containerization, Infrastructure as Code and event-driven serverless architectures by leveraging the latest AWS services. Along with our Managed Services offerings which provide 24/7 cloud infrastructure maintenance and support, we are able to provide complete solutions for the media industry.