AWS Security Group Management Considerations

In this topic:

    Here are some guidelines for managing AWS Security Groups from the Dome9 console.

    • When a server instance is launched in AWS, a security group association is assumed. If the Administrator does not assign a security group to a new instance, it is placed in the default security group and uses its policy settings.
    • AWS instances belong to one of two supported security group types: EC2-Classic or EC2-VPC. An AWS account can launch instances into both EC2-Classic and EC2-VPC, or only into EC2-VPC, by region.
    • Security Group rule definitions let specific sources reach an AWS instance using a specific protocol. Inbound rules identify the sources that can reach an instance with a given protocol (TCP protocol, UDP, or ICMP) and destination port.

    Example: A rule could allow IP address 203.0.113.1 (the source) to reach the instances on TCP port 22 (the protocol and destination port).

    • AWS Security Group rules are permissive in nature. When multiple Security Groups are applied to an instance, the rules from each Security Group are effectively aggregated to create a larger set of rules.
    • In the case of internal referencing, an Administrator defines the Security Group as a source security group in the inbound security group rules. This enables additional instances to send traffic to instances within the source group.

    Amazon VPCs and Dome9 Service Functionality

    A VPC is a virtual private cloud within Amazon Web Services, a private network that closely resembles classic virtual private networks (VPN). A VPC benefits from a scalable infrastructure. Protection of VPC subnet resources is achieved through the application of multiple security layers that contain security groups and network access control lists.

    VPC benefits include the ability to assign persistent private and multiple IP addresses to instances. This lets an Administrator stop and start instances repeatedly without reassigning IP addresses. Network interfaces are defined independently, and attached to specific instances.

    An additional VPC feature is the power to change an instance’s Security Group membership on the fly. An instance can be switched to a different Security Group while it is running. Instances can also run on single-tenant hardware.

    For more information, see the Amazon Virtual Private Cloud User Guide.

     

    AWS Security Group Management Modes: Full Protection or Read-Only

    In Dome9, Amazon AWS Security Groups can be managed in one of two modes: Full Protection or Read-Only. Full Protection provides the Dome9 administrator with full control of AWS security policy definition, access leases, and the ability to interact with dynamic policy objects.

    In Full Protection mode, an AWS Security Group can only be managed from Dome9. Attempts to modify a security group from the AWS environment (such as the AWS console) will be detected by Dome9 and will trigger a Dome9 Tamper Protection message. Dome9 will override the change that is made, and revert it back to the definition of the Security Group defined in Dome9.

    In Read-Only mode, Security Groups are defined and modified in the AWS environment, but you can monitor changes in Dome9 with alerts, and a full audits trail. Use this mode initially as you plan a transition from managing your cloud environment in AWS to managing it in Dome9. It is also the recommended mode of operation for Security Groups that are automated/managed by other tools (such as AWS OpsWorks).

    The following table summarizes the differences between Read-Only and Full Protection modes:

     

    Policy visualization

    Alerts & Audits

    Tamper Protection

    Policy Editing

    Access Leases

    Monitor-Only

         

    Full Protection

     

    When a Security Group is switched to Full Protection mode, Dome9 normalizes the rules in the group. Rules for IP address ranges that are fully included in the range of another rule, and with identical ports, will be removed.

    For example, the rule to allow inbound traffic on port 22 to address 192.168.10.10 is fully included in the rule to allow inbound traffic on port 22 to the address range 192.168.0.0/16, and would be removed.

    See also

    AWS EC2 User Guide

    Amazon Virtual Private Cloud User Guide.