Using Network Security

Amazon Elastic Compute Cloud: 2009-07-15

previous page next page

Using Network Security

Topics

API Overview
  • Creating a Security Group
  • Describing Security Groups
  • Adding a Security Group Rule
  • Delete a Security Group Rule
  • Delete a Security Group
  • Example

    • This section describes how to use Amazon EC2 network security.

    [Note] Note

    In addition to these examples, you can maintain your own firewall on any of your instances. This can be useful if you have specific requirements not met by the Amazon EC2 distributed firewall.

    API Overview

    This section provides a brief overview of each operation.

    • CreateSecurityGroup—Creates a new security group for use with your account.

    • DescribeSecurityGroups—Returns information about security groups associated with your account.

    • DeleteSecurityGroup—Deletes security groups associated with your account.

    • AuthorizeSecurityGroupIngress—Adds permissions to a security group.

    • RevokeSecurityGroupIngress—Revokes permissions from a security group.

    Creating a Security Group

    This section describes how to create a security group.

    Procedure

    To create a security group

    1. If you are using SOAP, construct the following request:

      <CreateSecurityGroup xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
    <groupName>security-group-name</groupName>
    <groupDescription>security-group-description</groupDescription>
</CreateSecurityGroup>

    2. If you are using Query, construct the following request:

      https://ec2.amazonaws.com/
?Action==CreateSecurityGroup
&GroupName=security-group-name
&GroupDescription=security-group-description
&...auth parameters...

    3. View output similar to the following: 

      <CreateSecurityGroupResponse xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
  <return>true</return>
</CreateSecurityGroupResponse>

    Describing Security Groups

    This section describes how to view currently configured security groups.

    Procedure

    To view security groups

    1. If you are using SOAP, construct the following request:

      <DescribeSecurityGroups xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
  <securityGroupSet>
    <item>
      <groupName>security-group-name</groupName>
    </item>
 </securityGroupSet>
</DescribeSecurityGroups>

    2. If you are using Query, construct the following request:

      https://ec2.amazonaws.com/
?Action=DescribeSecurityGroups
&GroupName.1=security-group-name
&...auth parameters...

    3. View output similar to the following: 

      <DescribeSecurityGroupsResponse xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
  <securityGroupInfo>
    <item>
      <ownerId>UYY3TLBUXIEON5NQVUUX6OMPWBZIQNFM</ownerId>
      <groupName>WebServers</groupName>
      <groupDescription>Web</groupDescription>
      <ipPermissions>
        <item>
  	  <ipProtocol>tcp</ipProtocol>
	  <fromPort>80</fromPort>
	  <toPort>80</toPort>
	  <groups/>
	  <ipRanges>
	    <item>
	      <cidrIp>0.0.0.0/0</cidrIp>
	    </item>
	  </ipRanges>
         </item>
      </ipPermissions>
    </item>
  </securityGroupInfo>
</DescribeSecurityGroupsResponse>

    Adding a Security Group Rule

    This section describes how to add a rule to a security group.

    Procedure

    To add a rule to a security group

    1. If you are using SOAP, construct a request similar to the following:

      <AuthorizeSecurityGroupIngress xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
    <userId/>
    <groupName>WebServers</groupName>
    <ipPermissions>
        <item>
            <ipProtocol>tcp</ipProtocol>
            <fromPort>80</fromPort>
            <toPort>80</toPort>
            <groups/>
            <ipRanges>
                <item>
                    <cidrIp>0.0.0.0/0</cidrIp>
                </item>
            </ipRanges>
        </item>
    </ipPermissions>
</AuthorizeSecurityGroupIngress>

    2. If you are using Query, construct a request similar to the following:

      https://ec2.amazonaws.com/
?Action=AuthorizeSecurityGroupIngress
&IpProtocol=tcp
&FromPort=80
&ToPort=80
&CidrIp=0.0.0.0/0
&...auth parameters...

    3. View output similar to the following: 

      <AuthorizeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
  <return>true</return>
</AuthorizeSecurityGroupIngressResponse>

    Delete a Security Group Rule

    This section describes how to delete a security group rule.

    Procedure

    To delete a security group rule

    1. If you are using SOAP, construct a request similar to the following:

      <RevokeSecurityGroupIngress xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
    <userId/>
    <groupName>RangedPortsBySource</groupName>
    <ipPermissions>
        <item>
            <ipProtocol>tcp</ipProtocol>
            <fromPort>6000</fromPort>
            <toPort>7000</toPort>
            <groups/>
            <ipRanges/>
        </item>
    </ipPermissions>
</RevokeSecurityGroupIngress>

    2. If you are using Query, construct a request similar to the following:

      https://ec2.amazonaws.com/
?Action=RevokeSecurityGroupIngress
&IpProtocol=tcp
&FromPort=80
&ToPort=80
&CidrIp=0.0.0.0/0
&...auth parameters...

    3. View output similar to the following: 

      <RevokeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
  <return>true</return>
</RevokeSecurityGroupIngressResponse>

    Delete a Security Group

    This section describes how to delete a security group.

    Procedure

    To delete a security group

    1. If you are using SOAP, construct the following request:

      <DeleteSecurityGroup xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
    <groupName>security-group-name</groupName>
</DeleteSecurityGroup>

    2. If you are using Query, construct the following request:

      https://ec2.amazonaws.com/
?Action=DeleteSecurityGroup
&GroupName=security-group-name
&...auth parameters...

    3. View output similar to the following: 

      <DeleteSecurityGroupResponse xmlns="http://ec2.amazonaws.com/doc/2009-07-15/">
  <return>true</return>
</DeleteSecurityGroupResponse>

    Example

    This section provides examples of configuring security groups using the command line tools.

    Modifying the Default Group

    This example shows Albert modifying the default group to meet his security needs.

    Albert Modifies the Default Group

    1

    Albert launches a copy of his favorite public AMI. 

    PROMPT> ec2-run-instances ami-eca54085
RESERVATION r-a034c7c9 924417782495 default
INSTANCE i-cfd732a6 ami-eca54085 pending 0 m1.small 2007-07-11T16:40:44+0000  us-east-1c

    2

    After a little wait for image launch to complete. Albert, who is a cautious type, checks the access rules of the default group. 

    PROMPT> ec2-describe-group default
GROUP   598916040194    default default group
PERMISSION  default  ALLOWS  all   FROM   USER   598916040194   GRPNAME default

    Albert notices that it only accepts ingress network connections from other members of the default group for all protocols and ports.

    3

    Albert, being paranoid as well as cautious, uses the Linux and UNIX nmap command to port scan his instance. 

    $ nmap -P0 -p1-100 ec2-67-202-51-105.compute-1.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST
All 100 scanned ports on ec2-67-202-51-105.compute-1.amazonaws.com  (67.202.51.105) are: filtered

Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds

    4

    Albert decides he should be able to SSH into his instance, but only from his own machine. 

    PROMPT> ec2-authorize default -P tcp -p 22 -s 126.52.1.130/32
GROUP   default
PERMISSION   default ALLOWS  tcp  22  22  FROM  CIDR  126.52.1.130/32

    5

    Albert repeats the Linux and UNIX nmap port scan. 

    $ nmap -P0 -p1-100 ec2-67-202-51-105.compute-1.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:43 SAST
Interesting ports on ec2-67-202-51-105.compute-1.amazonaws.com  (67.202.51.105):
(The 99 ports scanned but not shown are in state: filtered)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap finished: 1 IP address (1 host up) scanned in 32.705 seconds

    Albert is happy (or at least less paranoid).

    Creating a Three-Tier Web Service

    Mary wants to deploy her public, failure resilient, three-tier web service (web, application, and database servers) in Amazon EC2. Her grand plan is to have her web tier start off executing in seven instances of ami-fba54092, her application tier executing in twenty instances of ami-e3a5408a,and her multi-master database in two instances of ami-f1a54098. She's concerned about the security of her subscriber database, so she wants to restrict network access to her middle and back tier machines. When the traffic to her site increases over the holiday shopping period, she adds additional instances to her web and application tiers to handle the extra load.

    Launch Process

    1

    First, Mary creates a group for her Apache web server instances and allows HTTP access to the world. 

    PROMPT> ec2-add-group apache -d "Mary's Apache group"
GROUP   apache  Mary's Apache group

PROMPT> ec2-describe-group apache
GROUP   598916040194    apache  Mary's Apache group

PROMPT> ec2-authorize apache -P tcp -p 80 -s 0.0.0.0/0
GROUP   apache
PERMISSION   apache  ALLOWS  tcp   80    80    FROM    CIDR    0.0.0.0/0

PROMPT> ec2-describe-group apache
GROUP   598916040194    apache  Mary's Apache group
PERMISSION   598916040194   apache  ALLOWS  tcp   80   80   FROM   CIDR   0.0.0.0/0

    2

    Mary launches seven instances of her web server AMI as members of the apache group. 

    PROMPT> ec2run ami-fba54092 -n 7 -g apache
RESERVATION r-0592776c 598916040194 default
INSTANCE i-cfd732a6 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000  us-east-1c
INSTANCE i-cfd732a7 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000  us-east-1c
INSTANCE i-cfd732a8 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000  us-east-1c
INSTANCE i-cfd732a9 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000  us-east-1c
INSTANCE i-cfd732aa ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000  us-east-1c
INSTANCE i-cfd732ab ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000  us-east-1c
INSTANCE i-cfd732ac ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000  us-east-1c


PROMPT> ec2din i-cfd732a6
RESERVATION     r-0592776c      598916040194
INSTANCE        i-cfd732a6      ami-fba54092       ec2-67-202-51-245.compute-1.amazonaws.com       running 0
m1.small 2007-07-11T16:40:44+0000

    3

    Being as paranoid as Albert, Mary uses the Linux and UNIX nmap command to confirm the permissions she just configured. 

    $ nmap -P0 -p1-100 ec2-67-202-51-245.compute-1.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 16:21 SAST
Interesting ports on ec2-67-202-51-245.compute-1.amazonaws.com  (67.202.51.245):
(The 99 ports scanned but not shown are in state: filtered)
PORT   STATE SERVICE
80/tcp open  http

Nmap finished: 1 IP address (1 host up) scanned in 33.409 seconds

    4

    Mary verifies her web server can be reached. 

    $ telnet ec2-67-202-51-245.compute-1.amazonaws.com  80
Trying 67.202.51.245...
Connected to ec2-67-202-51-245.compute-1.amazonaws.com  (67.202.51.245).
Escape character is '^]'.

    Mary can reach her web server.

    5

    Mary creates a separate group for her application server. 

    PROMPT> ec2-add-group appserver -d "Mary's app server"
GROUP   appserver       Mary's app server

    6

    Mary starts twenty instances as members of appserver group. 

    PROMPT> ec2run ami-e3a5408a -n 20 -g appserver

    7

    Mary grants network access between her web server group and the application server group. 

    PROMPT> ec2-authorize appserver -o apache -u AIDADH4IGTRXXKCD
GROUP   appserver
PERMISSION   appserver  ALLOWS  all   FROM   USER   AIDADH4IGTRXXKCD   GRPNAME apache

    8

    Mary verifies access to her app server is restricted by port scanning one of the application servers using the Linux and UNIX nmap command. 

    $ nmap -P0 -p1-100 ec2-67-202-51-162.compute-1.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST
All 100 scanned ports on ec2-67-202-51-162.compute-1.amazonaws.com  (67.202.51.162) are: filtered

Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds

    9

    Mary confirms that her web servers have access to her application servers.

    1. She (temporarily) grants SSH access from her workstation to the web server group: 

      PROMPT> ec2-authorize apache -P tcp -p 22 -s 126.52.1.130/32

    2. She logs in to one of her web servers and connects to an application server on TCP port 8080. 

      $ telnet ec2-67-202-51-162.compute-1.amazonaws.com  8080
Trying 67.202.51.162...
Connected to ec2-67-202-51-162.compute-1.amazonaws.com (67.202.51.162).
Escape character is '^]'

    3. Satisfied with the setup, she revokes SSH access to the web server group. 

      PROMPT> ec2-revoke apache -P tcp -p 22 -s 126.52.1.130/32

    10

    Mary repeats these steps to create the database server group and to grant access between the application server and database server groups.


    previous page start next page