In the previous chapter, you learned a lot about EC2 and its images and instances. We were able to launch our first instance in AWS, connect to it, and even configure it as per our requirements.
In this chapter, we will be continuing where we left off and will cover some of the remaining EC2 concepts, such as security groups, networking, and a bit about volumes as well. We will also be looking at a few easy steps using which you can create and publish your very own AMIs. So stick around, we are just getting started!
We talked briefly about security groups in the previous chapter, but in this section, we will be looking at them in a bit more in detail. Security Groups are simple, yet powerful ways using which you can secure your entire EC2 environment. You can use Security Groups to restrict and filter out both the ingress and egress traffic of an instance using a set of firewall rules. Each rule can allow traffic based on a particular protocol—TCP or UDP, based on a particular port—such as 22 for SSH, or even based on individual source and destination IP addresses. This provides you with a lot of control and flexibility in terms of designing a secure environment for your instances to run from.
Let's look at how you can edit an existing Security Group using the EC2 dashboard.
From the EC2 dashboard, select the Security Groups option located under the Network & Security section as shown here:
This will display a list of currently created and in use Security Groups present in your EC2 environment. Each Security Group is provided with a unique identifier called the Group ID and a Group Name. You will also notice the presence of the default Security Group, as shown in the following screenshot. This default Security Group is created by AWS when you first start and sign up for the EC2 service. If you do not specify a Security Group during the instance launch phase, then by default, AWS assigns this default Security Group to it.
The default Security Group has no ingress (inbound) traffic rules set; there is only one egress (outbound) rule, which allows your instances to connect to the outside world using any port and any protocol. You can add, delete, and modify any rules from this group; however, you cannot delete the default Security Group. As a good practice, avoid using the default Security Group. Instead, create separate and customized Security Groups based on your application's needs and always keep the rules as minimalistic as possible. Here is an option of creating a new Security Group:
Let's go ahead and see how you can edit Security Groups and modify an already configured firewall rule.
From the dashboard, select a particular Security Group you wish to modify. Next, from the Actions drop-down list, select the option Edit inbound rules, as shown:
As discussed earlier, each firewall rule comprises four fields. The first field is the Type field, which specifies the type of application for which you need to allow access. By default, AWS already has provided a list of common application types to choose from, which includes SSH, RDP, HTTP, HTTPS, POP3, IMAP, MySQL, SMTP, and so on so forth. You can additionally create custom TCP/ UDP application types using this same drop-down list as well. For now, we will use the SSH and HTTP types, as shown here:
An important thing to note here is that selecting these preconfigured application types will autofill the next two fields as well. Thus, if you wish to specify a different port for say SSH or HTTP, then you are better off selecting Custom TCP Rule from the application type as discussed earlier. Next up is the Source field where you can basically specify any of these three options:
- Anywhere: Using this option as the source, your particular application port will be accessible from any and all networks out there (0.0.0.0/0). This is not a recommended configuration for any production environment and should be avoided at all times.
- My IP: As the name suggest, AWS will try and autofill the IP address of your local computer here. The only thing that you need to be aware of here is that your computer's IP address should not be based on a DHCP network as you may not be able to connect to your application if your local computer's IP address keeps on changing.
- Custom IP: Perhaps the most preferable out of the three options, the Custom IP option allows you to specify your own custom source IP address or IP range as per your requirements. For example, allow the particular application to access only via traffic coming from the network 203.20.31.0/24 CIDR. You can even add other Security Group IDs here as a reference.
Additionally, you can even add new rules to an existing Security Group by selecting the Add Rule button, and delete existing rules by selecting the Delete Rule icon (X). Just remember to save your Security Group settings by selecting the Save option before you close the pop-up box. Feel free to take a look at a Security Group's outbound rules as well. All you have to do is select a particular Security Group from the EC2 dashboard, and from the Actions tab, select the Edit outbound rules option. You should see the default allow all access outbound rule, as shown here:
You can even create new Security Groups using the Create Security Group option provided on the EC2 dashboard. Selecting this option will provide you with a simple interface using which you can create and populate a Security Group with both inbound and outbound rules.
Provide a suitable Security group name and Description for your new Security Group. Ideally, as a good practice, always name your Security Groups using some meaningful conventions that can help you identify their purpose. Next up, select the default VPC subnet from the VPC drop-down list. You can create up to 100 Security Groups in a VPC, with each Security Group having up to fifty firewall rules.
Fill in your inbound and outbound rules, and click on Create once done:
You can then assign this new Security Group to your instances either during the launch phase or by selecting an existing instance from the EC2 dashboard and changing its Security Group under the Change Security Groups option.
Feel free to create more such Security Groups in your EC2 account. Make sure you follow the least privilege approach and allow traffic only for the required set of ports and application services and nothing more.