AWS Security Groups

In this topic:

    This section describes how to create and modify AWS Security Groups in the Dome9 console. The account for which the Security Groups are created must be in Full Protection mode (this allows Security Groups to be managed by Dome9 instead of on the AWS console)

    Create a new AWS Security Group

    You can create a new AWS Security |Group for a VPC (your account must be Full-Protection in order to do this).

    1. Navigate to Network Security in the Dome9 console, and select Security Groups.

    2. In the filter pane on the left, select AWS accounts.

    3. Press opposite the account for which you wish to add a Security Group.

    4. Enter the name of the new security group, and a description, and then press ADD

    5. Add Inbound and Outbound Services to the group

      1. Select details for the Service.

      2. Also select whether the Port Behavior will be Open or Limited. For Limited behavior, add the source IP addresses that will be accepted, either as individual IP addresses, IP Lists (see }, or another AWS Security Group.

      3. Press CREATE SERVICE.

    6. Add tags to the service (this allows it to be searched):

      1. Enter a Key (name) and a Value for the tag, then press CREATE.

     

    View and modify details for an AWS Security Group

    You can modify details for any of your Security Groups (the Security Group must be in Full Protection mode to do this)

    1. Click on the link for the AWS Security Group you wish to modify.

    2. Click to add a new service (inbound or outbound), to change details for a service in the Security Group, or to delete it.

    3. You can modify the name of the service, the type, protocol, and port. You can also set the allowed sources (IP addresses) for the port (port behavior).

     

    Clone a Security Group

    You can clone an existing Security Group to make a copy of it. The copy will have the same definitions (services, etc). You can choose to apply the new Security Group to the same VPC, or to another.

    1. Click on the link for the AWS Security Group you wish to clone, and then click on

    2. Enter a name and description for the new Security Group. If it will be assigned to different VPCs, select Other VPCs

    3. Select the Account, Region, and VPC, from the lists, and then press ADD, to assign the Security Group to a VPC. You can assign it to more than one VPC.

     

    Set an AWS Security Group to Full Protection

    You can change the protection mode for each AWS Security Group (independently) to Full Protection (you can also switch it to Read-Only). In this mode, you will be able to make changes to the Security Group only in the Dome9 Console, and not on in the AWS console. Any changes made in the AWS console, or elsewhere, will be detected by Dome9 and reverted to the definition in Dome9.

    You can set a Security Group to Full Protection mode only if the AWS account is managed by Dome9 in Full Protection mode. If the account is managed as Read-Only, you can update it to Full Protection. See Set AWS account to Full Protection mode

    1. Navigate to the Security Groups page. This shows a list of the Security Groups in your AWS accounts.

    2. Click on the Security Group to which you wish to apply Full Protection.

    3. Move the switch in the upper right to enable Full Protection

    4. Click ENABLE to confirm.

    You can do this also in the Cloud Accounts page.

    1. Navigate to the Cloud Accounts page, This shows a list of your cloud accounts on all cloud providers and, for each, a summary of the assets, including Security Groups.

    2. Click on the account containing the Security Group that you wish to change to Full Protection. This will show a list of the cloud assets for the selected account, organized by region.

      Note

      Note: the account must be in Full Protection mode in order to change one of its Security Groups to Full Protection.1

    3. Click for the region containing the Security Group. This shows a summary of the VPCs and Security Groups in the region, organized by VPC. The upper part shows the operation mode Dome9 will apply to new Security Groups that are detected. You can select one of the following options:

      Read-Only

      new Security Groups will be included in Dome9 in Read-Only mode, without changes to any of the rules

      Full-Protection

      new Security Groups will be included in Dome9 in Full Protection mode, without changes to any of the rules

      Region lock

      new Security Groups will be included in Dome9 in Full Protection mode, and all inbound and outbound rules will be cleared

      Below this the Security Groups for the VPCs in the region are listed and, for each, the operation mode.

    4. Click Full Protection (Dome9 managed) for the Security Groups you wish to change to Full Protection, or Read-Only (Monitor mode) for those you wish to change to Read-Only, and the click SAVE.

      Note

      Note: click select entire region for one of the operation modes to select this for all Security Groups in the region.

      You can also change the protection mode of Security Groups using the Dome9 API (v2). For details, see Dome9 API.