AWS Security Groups

What is AWS Security Group?  

AWS Security Group Best Practice  

AWS Security Groups FAQ  

Does adding security group to AWS ElastiCache cluster create downtime?  

No. Adding security group to AWS ElastiCache cluster should not create any downtime

What is the acronym for AWS security groups?  

AWS Security Group usually abbreviated as SG

Does AWS Network Load Balancer (NLB) Support Security Group?  

At the time of this writing (September 2020) NLB doesn’t support security group.

Are security groups specific to regions in AWS?  

Yes. AWS security groups is region specific

Do I need to restart my instance after security group change?  

No. You don’t need to restart your instance after security group change. Please note that if you remove rules the existing connection will not be dropped instantly since security group is stateful.

Does AWS security group allow CIDR notation?  

Yes, you can use CIDR notation in ingress or egress. For example to allow egress to google DNS you can use 8.8.8.8/32

How to configure an AWS security group to accept public ping requests?  

What security group rules does AWS need for SSL/TLS?  

Does AWS charge for security groups?  

No. AWS security groups is free

Can you change security group name AWS?  

No. To change security group name, you have to create new security group with the same ingress and egress rules and swap the existing security group with the new one.

How to allow django to connect AWS RDS security group?  

How long does it take to apply security groups on AWS?  

Security group application usually done instantly. But this will also depend on your internet quality when calling AWS API.  

Should AWS security groups be in the same CloudFormation stack?  

How to visualize AWS security groups?  

Does AWS security group allow ICMP traffic?  

It does not allow ICMP traffic by default but you can allow ICMP traffic in security group rules.

Can we remove security group created in AWS?  

Yes. As far as it is not being referenced by another security group.

How to add localhost to AWS security group  

If you directly call loopback address it will not go through security group so you don’t have to add ingress rules for localhost / loopback.

If the application need to call itself but from network address, for example in MongoDB replication set, you need to allow the security group itself on the ingress and/or egress rules.

How is subnet related to security group in AWS?  

Not directly related. You can allow specific subnet as source / destination IP range on your security group.

Security Groups is unique per VPC so you can use any security groups in any subnets.

Does AWS security groups affect loopback?  

No. Network call to loopback is not going through security groups

Where is AWS cache security group?  

You can see AWS cache / Amazon ElastiCache security groups in ec2 -> Security Groups or VPC -> Security Groups.

Will AWS charge for default security group?  

No. Default security group is free

Can I put an AWS S3 bucket behind a security group?  

No. You cannot put AWS S3 bucket behind a security group. If you need to allow specific IP from AWS S3 bucket you can use S3 bucket policy.

Can I put an AWS S3 bucket static site behind a security group?  

No. You cannot put AWS S3 bucket for static site behind a security group.

What should my default VPC security group look like in AWS?  

In ideal condition it should be empty. No ingress and/or egress. The reason is that this security group will be attached to resource that have no security group info on creation.

If you need to have shared default security group. Create new “default” security group that contain minimalist rules as necessary.

Can I have 2 security groups with the same name AWS?  

Yes, but it has to be on a different VPC.

Can I use IPv6 in AWS security groups?  

Yes. You can use IPv6 in AWS security group rules both ingress and egress

Can you modify security groups on a running instance AWS?  

Yes. You can modify security group rules on a running instance. You can also attach or detach security group from an instance.

Are you charged for having key pair and security groups AWS  

No. Both is free

How to set up AWS ElasticSearch security groups?  

You can refer to AWS ElasticSearch security group reference

Do you have to make a security group for each AWS region  

Security group is a regional resource, so if you need to attach security group with the same rules on different region you have to create new security group on each region.

Does a security group work across VPC in AWS?  

The security group itself is specific per VPC but you can reference security group across VPC if both VPCs are connected via peering.

Do we need to restart AWS instance after creating security groups to make effect?  

No. You don’t have to restart AWS instance to make effect of security group change.

Do I need a security group for the AWS load balancer?  

Yes. You have to attach at least 1 security group in ELB (Classic Load Balancer) and ALB (Application Load Balancer)

What private IP CIDR to add to security group in AWS?  

If you want to allow AWS resource

What is the difference between key pairs and security groups in AWS?  

Key pairs is used to connect to EC2 instance via SSH, or to decrypt Windows instance password.

Security groups is used as network firewall in EC2 instance, ELB / ALB, Lambda, RDS, ElastiCache, ElasticSearch and other services that support security groups.

We can set which IP / IP range and/or which resource that can access the resource via network on specific port.

Do AWS security groups do application inspection?  

No. Security group doesn’t do application inspection

Do I need outbound rules in my AWS security group?  

Is AWS security groups free?  

Yes. AWS security groups is free

Is AWS security group considered services?  

No. It’s part of EC2 service.

Does AWS security group tie to a VPC?  

Yes. AWS security group is tied to a VPC.

Do you need a security group on nat gateway interface AWS?  

No. You don’t need security group on NAT gateway.

How many AWS security groups can we attach per EC2 instance?  

The default is 5. Max is 16 (you have to request to AWS support to get this limit increased)

Does AWS internet gateway have a security group?  

No. Internet gateway doesn’t have security groups.

How do I whitelist a single IP in AWS security group?  

You can use /32 to whitelist single IP address.

How to create an AWS security group using that security group as the source?  

1. Create the security group.
2. Add new rule with source the security group ID (sg-12346) of the security group that just created.

Can you only allow traffic from load balancer in AWS security group?  

Yes you can. Create new rule on the security group attached to the app instance. Create new ingress rules with port of application port and source is the security group id of the load balancer.

How to create AWS security group for IIS hosting?  

For the IIS itself, most likely you need to allow:

1. Ingress TCP port 80 from specific IP (or from all address – 0.0.0.0/0)
2. Ingress TCP port 443 (SSL/TLS) from specific IP (or from all address – 0.0.0.0/0)

What is the CIDR we give for a all traffic security group in AWS?  

You can use CIDR 0.0.0.0/0 to allow all traffic. You can use this CIDR for ingress and or egress rules.

Should you use the default security group AWS?  

No. It’s a security best practice not to use default security group. Ensure you also the ingress and egress rules for default security group is empty.

How to enable telnet AWS security group?  

You can allow telnet ingress by creating an ingress rule with the following details: Type: Custom TCP Protocol: TCP Port range: 23 Source: (your IP / Security group ID)

Traffic going through the telnet is not encrypted. Please avoid using telnet to connect to a server.

Further References  

Readings  

Videos  

Podcast Episodes