Controls the traffic that is allowed to reach to and leave from the resources itβs associated with.
Can only be assigned to the resources from the same VPC as the security group.
Multiple security groups can be assigned to a resource.
Name should follow the rules:
- unique within the VPC
- up to 255 characters
- [a-zA-z0-9 ._-:/()#,@[]+=&;{}!$*]
- cannot start with sg-
Are stateful.
For example, if you send a request from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules. Responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules.β_
Do not filter traffic destined to and from:
- Amazon Domain Name Services (DNS)
- Amazon Dynamic Host Configuration Protocol (DHCP)
- Amazon EC2 instance metadata
- Amazon ECS task metadata endpoints
- License activation for Windows instances
- Amazon Time Sync Service
- Reserved IP addresses used by the default VPC router
There are limits how many security groups can be created within a VPC, the number of rules in each SG etc. Details.
Best practices
- Authorize only specific IAM principals to create/modify SGs.
- Minimize the number of SGs to decrease the risk of error. Use SG to resources with similar functions and security requirements.
- Try to authorize only specific IP address ranges when possible.
- Do not open large port ranges.
- Restrict each port to the sources/destinations that require it.
- Consider creating network ACLs with similar rules to a SG to create and additional layer of security.
Security group rules
- Inbound traffic - ingress
- Outbound traffic - egress
Only allow rules can be specified, not deny.
Defaults:
- No inbound traffic is allowed by default.
- On the creation of the SG the default outbound rule is added to allow all outbound traffic. But when created with Terraform, this rule is removed, and only specified egress rules are applied.
When more than one SG is attached to a resource, their rules are aggregated into a single set of rules.
Changes to SG rules are automatically applied to all resources that are associated with this SG.
Each SG rule as a unique ID.
Components of a security group rule
-
Protocol: protocol to allow. The most common are TCP, UDP, ICMP.
-
Port range: single port number (
22), or range of port numbers (7000-8000) to allow for a given protocol. -
ICMP type and code: βFor ICMP, the ICMP type and code. For example, use type 8 for ICMP Echo Request or type 128 for ICMPv6 Echo Request.β
-
Source/destination: the source (inbound rule) or destination (outbound rule) for the traffic to allow.
- A single IPv4 address. You must use the
/32prefix length. For example,203.0.113.1/32. - A single IPv6 address. You must use the
/128prefix length. For example,2001:db8:1234:1a00::123/128. - A range of IPv4 addresses, in CIDR block notation. For example,
203.0.113.0/24. - A range of IPv6 addresses, in CIDR block notation. For example,
2001:db8:1234:1a00::/64. - The ID of a prefix list. For example,
pl-1234abc1234abc123. For more information, see Group CIDR blocks using managed prefix lists. - The ID of a security group. For example,
sg-1234567890abcdef0. Affects all resources that are associated with the target security group. For more information, see Security group referencing.
- A single IPv4 address. You must use the
-
(Optional) Description: up to 255 chars, [a-zA-z0-9 ._-:/()#,@[]+=&;{}!$*].
-
https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-size