Using Network Security
Topics
This section describes how to use Amazon EC2 network security.
Note | |
---|---|
In addition to these examples, you can maintain your own firewall on any of your instances. This can be useful if you have specific requirements not met by the Amazon EC2 distributed firewall. |
API Overview
This section provides a brief overview of each operation.
-
CreateSecurityGroup—Creates a new security group for use with your account.
-
DescribeSecurityGroups—Returns information about security groups associated with your account.
-
DeleteSecurityGroup—Deletes security groups associated with your account.
-
AuthorizeSecurityGroupIngress—Adds permissions to a security group.
-
RevokeSecurityGroupIngress—Revokes permissions from a security group.
Creating a Security Group
This section describes how to create a security group.
Procedure
To create a security group
-
If you are using SOAP, construct the following request:
<CreateSecurityGroup xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <groupName>
security-group-name
</groupName> <groupDescription>security-group-description
</groupDescription> </CreateSecurityGroup> -
If you are using Query, construct the following request:
https://ec2.amazonaws.com/ ?Action==CreateSecurityGroup &GroupName=
security-group-name
&GroupDescription=security-group-description
&...auth parameters... -
View output similar to the following:
<CreateSecurityGroupResponse xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <return>true</return> </CreateSecurityGroupResponse>
Describing Security Groups
This section describes how to view currently configured security groups.
Procedure
To view security groups
-
If you are using SOAP, construct the following request:
<DescribeSecurityGroups xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <securityGroupSet> <item> <groupName>
security-group-name
</groupName> </item> </securityGroupSet> </DescribeSecurityGroups> -
If you are using Query, construct the following request:
https://ec2.amazonaws.com/ ?Action=DescribeSecurityGroups &GroupName.1=
security-group-name
&...auth parameters... -
View output similar to the following:
<DescribeSecurityGroupsResponse xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <securityGroupInfo> <item> <ownerId>UYY3TLBUXIEON5NQVUUX6OMPWBZIQNFM</ownerId> <groupName>WebServers</groupName> <groupDescription>Web</groupDescription> <ipPermissions> <item> <ipProtocol>tcp</ipProtocol> <fromPort>80</fromPort> <toPort>80</toPort> <groups/> <ipRanges> <item> <cidrIp>0.0.0.0/0</cidrIp> </item> </ipRanges> </item> </ipPermissions> </item> </securityGroupInfo> </DescribeSecurityGroupsResponse>
Adding a Security Group Rule
This section describes how to add a rule to a security group.
Procedure
To add a rule to a security group
-
If you are using SOAP, construct a request similar to the following:
<AuthorizeSecurityGroupIngress xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <userId/> <groupName>WebServers</groupName> <ipPermissions> <item> <ipProtocol>tcp</ipProtocol> <fromPort>80</fromPort> <toPort>80</toPort> <groups/> <ipRanges> <item> <cidrIp>0.0.0.0/0</cidrIp> </item> </ipRanges> </item> </ipPermissions> </AuthorizeSecurityGroupIngress>
-
If you are using Query, construct a request similar to the following:
https://ec2.amazonaws.com/ ?Action=AuthorizeSecurityGroupIngress &IpProtocol=tcp &FromPort=80 &ToPort=80 &CidrIp=0.0.0.0/0 &...auth parameters...
-
View output similar to the following:
<AuthorizeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <return>true</return> </AuthorizeSecurityGroupIngressResponse>
Delete a Security Group Rule
This section describes how to delete a security group rule.
Procedure
To delete a security group rule
-
If you are using SOAP, construct a request similar to the following:
<RevokeSecurityGroupIngress xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <userId/> <groupName>RangedPortsBySource</groupName> <ipPermissions> <item> <ipProtocol>tcp</ipProtocol> <fromPort>6000</fromPort> <toPort>7000</toPort> <groups/> <ipRanges/> </item> </ipPermissions> </RevokeSecurityGroupIngress>
-
If you are using Query, construct a request similar to the following:
https://ec2.amazonaws.com/ ?Action=RevokeSecurityGroupIngress &IpProtocol=tcp &FromPort=80 &ToPort=80 &CidrIp=0.0.0.0/0 &...auth parameters...
-
View output similar to the following:
<RevokeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <return>true</return> </RevokeSecurityGroupIngressResponse>
Delete a Security Group
This section describes how to delete a security group.
Procedure
To delete a security group
-
If you are using SOAP, construct the following request:
<DeleteSecurityGroup xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <groupName>
security-group-name
</groupName> </DeleteSecurityGroup> -
If you are using Query, construct the following request:
https://ec2.amazonaws.com/ ?Action=DeleteSecurityGroup &GroupName=
security-group-name
&...auth parameters... -
View output similar to the following:
<DeleteSecurityGroupResponse xmlns="http://ec2.amazonaws.com/doc/2009-08-15/"> <return>true</return> </DeleteSecurityGroupResponse>
Example
This section provides examples of configuring security groups using the command line tools.
Modifying the Default Group
This example shows Albert modifying the default group to meet his security needs.
Albert Modifies the Default Group
1 |
Albert launches a copy of his favorite public AMI.
|
2 |
After a little wait for image launch to complete. Albert, who is a cautious type, checks the access rules of the default group.
Albert notices that it only accepts ingress network connections from other members of the default group for all protocols and ports. |
3 |
Albert, being paranoid as well as cautious, uses the Linux and UNIX
|
4 |
Albert decides he should be able to SSH into his instance, but only from his own machine.
|
5 |
Albert repeats the Linux and UNIX
Albert is happy (or at least less paranoid). |
Creating a Three-Tier Web Service
Mary wants to deploy her public, failure resilient, three-tier web service (web, application, and database servers) in Amazon EC2. Her grand plan is to have her web tier start off executing in seven instances of ami-fba54092, her application tier executing in twenty instances of ami-e3a5408a,and her multi-master database in two instances of ami-f1a54098. She's concerned about the security of her subscriber database, so she wants to restrict network access to her middle and back tier machines. When the traffic to her site increases over the holiday shopping period, she adds additional instances to her web and application tiers to handle the extra load.
Launch Process
1 |
First, Mary creates a group for her Apache web server instances and allows HTTP access to the world.
|
2 |
Mary launches seven instances of her web server AMI as members
of the
|
3 |
Being as paranoid as Albert, Mary uses the Linux and UNIX
|
4 |
Mary verifies her web server can be reached.
Mary can reach her web server. |
5 |
Mary creates a separate group for her application server.
|
6 |
Mary starts twenty instances as members of
|
7 |
Mary grants network access between her web server group and the application server group.
|
8 |
Mary verifies access to her app server is restricted by port scanning
one of the application servers using the Linux and UNIX
|
9 |
Mary confirms that her web servers have access to her application servers.
|
10 |
Mary repeats these steps to create the database server group and to grant access between the application server and database server groups. |