Tag: AWS Security Groups

Creating an AWS Security Group

Create a Security Group for Public network

This exercise will create a security group that allows HTTP and HTTPS using the AWS Console to EC2 instances in a public network.

Note: This is for testing purposes only, normally we would place an application firewall in front of web servers, and possibly load balancers, and monitoring along with notification services, but hey, we are just creating a test (not production), right!!

Security group for an EC2 instance hosting a Website

  • Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  • In the left side navigation pane, choose Security Groups.
  • Choose Create security group.
  • Enter a name for the security group (for example, Web Services), and then provide a description (allows http & https inbound).
  • From VPC, select the ID of your VPC.
  • (Optional) Add or remove a tag.[Add a tag] Choose Add new tag and do the following:
    • For Key, enter “Name”.
    • For Value, enter “Web Services”
  • Click ADD Rule
    • Under Type, click the down arrow and scroll to select “HTTP
      • Under Source, click the down arrow and choose “My IP
        Note: You can choose the default 0.0.0.0/0, if you want to leave the inbound connection OPEN to the World. I recommend using “My IP” address , which limits the inbound connection to only your network’s public IP address.
  • Click ADD Rule (again)
    • Under Type, click the down arrow and scroll to select “HTTPS
    • Under Source, click the down arrow and choose “My IP
  • Scroll down and click the button Create Security Group.

Create a Security group to allow SSH

This exercise will create a security group that allows SSH using the AWS Console

  • Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  • In the left side navigation pane, choose Security Groups.
  • Choose Create security group.
  • Enter a name for the security group (for example, Web Services), and then provide a description (allows http & https inbound).
  • From VPC, select the ID of your VPC.
  • (Optional) Add or remove a tag.[Add a tag] Choose Add new tag and do the following:
    • For Key, enter “Name”.
    • For Value, enter “SSH”
  • Click ADD Rule
    • Under Type, click the down arrow and scroll to select “SSH
      • Under Source, click the down arrow and choose “My IP
        Note: You can choose the default 0.0.0.0/0, if you want to leave the inbound connection OPEN to the World. I recommend using “My IP” address , which limits the inbound connection to only your network’s public IP address.
  • Click the button Create security group

To create a security group using the command line

To describe one or more security groups using the command line

By default, new security groups start with only an outbound rule that allows all traffic to outbound and restrict all traffic inbound. You must add rules to enable any inbound traffic or to restrict the outbound traffic.

Adding, removing, and updating rules

When you add or remove a rule, any instances already assigned to the security group are subject to the change.

If you have a VPC peering connection, you can reference security groups from the peer VPC as the source or destination in your security group rules. For more information, see Updating your security groups to reference peer VPC security groups in the Amazon VPC Peering Guide.

To add a rule using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Security Groups.
  3. Select the security group to update.
  4. Choose ActionsEdit inbound rules or ActionsEdit outbound rules.
  5. Choose Add rule. For Type, select the traffic type, and then specify the source (inbound rules) or destination (outbound rules). For example, for a public web server, choose HTTP or HTTPS and specify a value for Source as 0.0.0.0/0.If you use 0.0.0.0/0, you enable all IPv4 addresses to access your instance using HTTP or HTTPS. To restrict access, enter a specific IP address or range of addresses.
  6. You can also allow communication between all instances that are associated with this security group. Create an inbound rule with the following options:
    • TypeAll Traffic
    • Source: Enter the ID of the security group.
  7. Choose Save rules.

To delete a rule using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Security Groups.
  3. Select the security group to update.
  4. Choose ActionsEdit inbound rules or ActionsEdit outbound rules.
  5. Choose Delete for the rule that you want to delete.
  6. Choose Save rules.

When you modify the protocol, port range, or source or destination of an existing security group rule using the console, the console deletes the existing rule and adds a new one for you.

To update a rule using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Security Groups.
  3. Select the security group to update.
  4. Choose ActionsEdit inbound rules or ActionsEdit outbound rules.
  5. Modify the rule entry as required.
  6. Choose Save rules.

If you are updating the protocol, port range, or source or destination of an existing rule using the Amazon EC2 API or a command line tool, you cannot modify the rule. Instead, you must delete the existing rule and add a new rule. To update the rule description only, you can use the update-security-group-rule-descriptions-ingress and update-security-group-rule-descriptions-egress commands.

To add a rule to a security group using the command line

To delete a rule from a security group using the command line

To update the description for a security group rule using the command line

Changing an instance’s security groups

After you launch an instance into a VPC, you can change the security groups that are associated with the instance. You can change the security groups for an instance when the instance is in the running or stopped state.Note

This procedure changes the security groups that are associated with the primary network interface (eth0) of the instance. To change the security groups for other network interfaces, see Changing the security group.

To change the security groups for an instance using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. In the navigation pane, choose Instances.
  3. Select the checkbox for the instance. The Security tab lists the security groups that are currently associated with the instance.
  4. To change the security groups that are associated with the instance, choose ActionsSecurityChange security groups.
  5. For Associated security groups, select a security group from the list, and then choose Add security group.To remove an already associated security group, choose Remove for that security group.
  6. Choose Save.

To change the security groups for an instance using the command line

Deleting a security group

You can delete a security group only if there are no instances assigned to it (either running or stopped). You can assign the instances to another security group before you delete the security group (see Changing an instance’s security groups). You can’t delete a default security group.

If you’re using the console, you can delete more than one security group at a time. If you’re using the command line or the API, you can only delete one security group at a time.

To delete a security group using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Security Groups.
  3. Select one or more security groups and choose Security Group ActionsDelete Security Group.
  4. In the Delete Security Group dialog box, choose Yes, Delete.

To delete a security group using the command line

Deleting the 2009-07-15-default security group

Any VPC created using an API version older than 2011-01-01 has the 2009-07-15-default security group. This security group exists in addition to the regular default security group that comes with every VPC. You can’t attach an internet gateway to a VPC that has the 2009-07-15-default security group. Therefore, you must delete this security group before you can attach an internet gateway to the VPC.Note

If you assigned this security group to any instances, you must assign these instances a different security group before you can delete the security group.

To delete the 2009-07-15-default security group

  1. Ensure that this security group is not assigned to any instances.
    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
    2. In the navigation pane, choose Network Interfaces.
    3. Select the network interface for the instance from the list, and choose Change Security GroupsActions.
    4. In the Change Security Groups dialog box, select a new security group from the list, and choose Save.When changing an instance’s security group, you can select multiple groups from the list. The security groups that you select replace the current security groups for the instance.
    5. Repeat the preceding steps for each instance.
  2. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  3. In the navigation pane, choose Security Groups.
  4. Choose the 2009-07-15-default security group, and then choose Security Group ActionsDelete Security Group.
  5. In the Delete Security Group dialog box, choose Yes, Delete.
Exit mobile version
%%footer%%