Using Network Security

Amazon Elastic Compute Cloud: 2009-10-31

previous page next page

Using Network Security

Topics

API Overview

Creating a Security Group

Describing Security Groups

Adding a Security Group Rule

Delete a Security Group Rule

Delete a Security Group

Example

This section describes how to use Amazon EC2 network security.

	Note
	In addition to these examples, you can maintain your own firewall on any of your instances. This can be useful if you have specific requirements not met by the Amazon EC2 distributed firewall.

API Overview

This section provides a brief overview of each operation.

CreateSecurityGroup—Creates a new security group for use with your account.
DescribeSecurityGroups—Returns information about security groups associated with your account.
DeleteSecurityGroup—Deletes security groups associated with your account.
AuthorizeSecurityGroupIngress—Adds permissions to a security group.
RevokeSecurityGroupIngress—Revokes permissions from a security group.

Creating a Security Group

This section describes how to create a security group.

AWS Management Console

To create a security group

Log in to the AWS Management Console and click the Amazon EC2 tab.
Click Security Groups in the Navigation pane.

The console displays a list of current security groups.
Click Security Group.

The Security Group dialog box appears.
Configure the following settings and click Create.
- Security Group Name
- Security Group Description
Amazon EC2 begins creating the security group.

Command Line Tools

To create a security group

Enter the following command:

PROMPT>  ec2-add-group groupname -d "group_description"

Amazon EBS returns information similar to the following example.

GROUP   webservers   My Web Server Group

Describing Security Groups

This section describes how to view currently configured security groups.

AWS Management Console

To view security groups

Log in to the AWS Management Console and click the Amazon EC2 tab.
Click Security Groups in the Navigation pane.

The console displays a list of security groups that belong to the account.
To view more information about a security group, including its rules, select it.

Command Line Tools

To view security groups

Enter the following command:

PROMPT>  ec2-describe-group [group ...]

Amazon EC2 returns output similar to the following:

GROUP AIDADH4IGTRXXKCD webservers Web Servers

Adding a Security Group Rule

This section describes how to add a rule to a security group.

AWS Management Console

To add a rule to a security group

Log in to the AWS Management Console and click the Amazon EC2 tab.
Click Security Groups in the Navigation pane.

The console displays a list of security groups that belong to the account.
Select a security group.

Its rules appear in the lower pane.
To add a rule, provide the following:
- Protocol
- From Port
- To Port
Then, select from the following:
- To allow access from other instances in a security group, enter the security group name in the Connection Source field.
- To configure this rule to apply to an IP address range, enter the CIDR range in the Connection Source field. For example, enter 0.0.0.0/0 to allow all IP addresses to access the specified port range. Enter an IP address or subnet to limit access to that one computer or network, for example 92.23.32.51/32.
Click Save.

The new rule is created and applied to all instances that belong to the security group.

Command Line Tools

To add a rule to a security group

Enter the following command:

              PROMPT> 
              ec2-authorize group [-P protocol] (-p port_range | -t icmp_type_code) [-u source_group_user ...] [-o source_group ...] [-s source_subnet ...]

Amazon EC2 returns an elastic IP address similar to the following:

PERMISSION default ALLOWS tcp 22 22 FROM CIDR 126.52.1.130/32

Delete a Security Group Rule

This section describes how to delete a security group rule.

AWS Management Console

To delete a security group rule

Log in to the AWS Management Console and click the Amazon EC2 tab.

Click Security Groups in the Navigation pane.

The console displays a list of security groups that belong to the account.

Select a security group.

Its rules appear in the lower pane.

To delete a rule, click its Remove button.

Amazon EC2 deletes the security group rule.

Command Line Tools

To delete a security group rule

Enter the following command:

PROMPT> ec2-revoke group [-P protocol] (-p port_range | -t icmp_type_code) [-u source_group_user ...] [-o source_group ...] [-s source_subnet ...]

Amazon EC2 returns output similar to the following:

PERMISSION webservers ALLOWS tcp 80 80 FROM CIDR 205.192.0.0/16

Delete a Security Group

This section describes how to delete a security group.

AWS Management Console

To delete a security group

Log in to the AWS Management Console and click the Amazon EC2 tab.

Click Security Groups in the Navigation pane.

The console displays a list of security groups that belong to the account.

Select a security group and click Delete.

A confirmation dialog box appears.

Click Yes, Delete.

Amazon EC2 deletes the security group.

Command Line Tools

To delete a security group

Enter the following command:

PROMPT> ec2-delete-group group

Amazon EC2 returns output similar to the following:

GROUP webservers

Example

This section provides examples of configuring security groups using the command line tools.

Modifying the Default Group

This example shows Albert modifying the default group to meet his security needs.

Albert Modifies the Default Group

1

Albert launches a copy of his favorite public AMI.

PROMPT> ec2-run-instances ami-eca54085 RESERVATION r-a034c7c9 924417782495 default INSTANCE i-cfd732a6 ami-eca54085 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c

2

After a little wait for image launch to complete. Albert, who is a cautious type, checks the access rules of the default group.

PROMPT> ec2-describe-group default GROUP 598916040194 default default group PERMISSION default ALLOWS all FROM USER 598916040194 GRPNAME default

Albert notices that it only accepts ingress network connections from other members of the default group for all protocols and ports.

3

Albert, being paranoid as well as cautious, uses the Linux and UNIX nmap command to port scan his instance.

$ nmap -P0 -p1-100 ec2-67-202-51-105.compute-1.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST All 100 scanned ports on ec2-67-202-51-105.compute-1.amazonaws.com (67.202.51.105) are: filtered Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds

4

Albert decides he should be able to SSH into his instance, but only from his own machine.

PROMPT> ec2-authorize default -P tcp -p 22 -s 126.52.1.130/32 GROUP default PERMISSION default ALLOWS tcp 22 22 FROM CIDR 126.52.1.130/32

5

Albert repeats the Linux and UNIX nmap port scan.

$ nmap -P0 -p1-100 ec2-67-202-51-105.compute-1.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:43 SAST Interesting ports on ec2-67-202-51-105.compute-1.amazonaws.com (67.202.51.105): (The 99 ports scanned but not shown are in state: filtered) PORT STATE SERVICE 22/tcp open ssh Nmap finished: 1 IP address (1 host up) scanned in 32.705 seconds

Albert is happy (or at least less paranoid).

Creating a Three-Tier Web Service

Mary wants to deploy her public, failure resilient, three-tier web service (web, application, and database servers) in Amazon EC2. Her grand plan is to have her web tier start off executing in seven instances of ami-fba54092, her application tier executing in twenty instances of ami-e3a5408a,and her multi-master database in two instances of ami-f1a54098. She's concerned about the security of her subscriber database, so she wants to restrict network access to her middle and back tier machines. When the traffic to her site increases over the holiday shopping period, she adds additional instances to her web and application tiers to handle the extra load.

Launch Process

1

First, Mary creates a group for her Apache web server instances and allows HTTP access to the world.

PROMPT> ec2-add-group apache -d "Mary's Apache group" GROUP apache Mary's Apache group PROMPT> ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group PROMPT> ec2-authorize apache -P tcp -p 80 -s 0.0.0.0/0 GROUP apache PERMISSION apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0 PROMPT> ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group PERMISSION 598916040194 apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0

2

Mary launches seven instances of her web server AMI as members of the apache group.

PROMPT> ec2run ami-fba54092 -n 7 -g apache RESERVATION r-0592776c 598916040194 default INSTANCE i-cfd732a6 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732a7 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732a8 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732a9 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732aa ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732ab ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732ac ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c PROMPT> ec2din i-cfd732a6 RESERVATION r-0592776c 598916040194 INSTANCE i-cfd732a6 ami-fba54092 ec2-67-202-51-245.compute-1.amazonaws.com running 0 m1.small 2007-07-11T16:40:44+0000

3

Being as paranoid as Albert, Mary uses the Linux and UNIX nmap command to confirm the permissions she just configured.

$ nmap -P0 -p1-100 ec2-67-202-51-245.compute-1.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 16:21 SAST Interesting ports on ec2-67-202-51-245.compute-1.amazonaws.com (67.202.51.245): (The 99 ports scanned but not shown are in state: filtered) PORT STATE SERVICE 80/tcp open http Nmap finished: 1 IP address (1 host up) scanned in 33.409 seconds

4

Mary verifies her web server can be reached.

$ telnet ec2-67-202-51-245.compute-1.amazonaws.com 80 Trying 67.202.51.245... Connected to ec2-67-202-51-245.compute-1.amazonaws.com (67.202.51.245). Escape character is '^]'.

Mary can reach her web server.

5

Mary creates a separate group for her application server.

PROMPT> ec2-add-group appserver -d "Mary's app server" GROUP appserver Mary's app server

6

Mary starts twenty instances as members of appserver group.

PROMPT> ec2run ami-e3a5408a -n 20 -g appserver

7

Mary grants network access between her web server group and the application server group.

PROMPT> ec2-authorize appserver -o apache -u AIDADH4IGTRXXKCD GROUP appserver PERMISSION appserver ALLOWS all FROM USER AIDADH4IGTRXXKCD GRPNAME apache

8

Mary verifies access to her app server is restricted by port scanning one of the application servers using the Linux and UNIX nmap command.

$ nmap -P0 -p1-100 ec2-67-202-51-162.compute-1.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST All 100 scanned ports on ec2-67-202-51-162.compute-1.amazonaws.com (67.202.51.162) are: filtered Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds

9

Mary confirms that her web servers have access to her application servers.

She (temporarily) grants SSH access from her workstation to the web server group:
PROMPT> ec2-authorize apache -P tcp -p 22 -s 126.52.1.130/32
She logs in to one of her web servers and connects to an application server on TCP port 8080.
$ telnet ec2-67-202-51-162.compute-1.amazonaws.com 8080 Trying 67.202.51.162... Connected to ec2-67-202-51-162.compute-1.amazonaws.com (67.202.51.162). Escape character is '^]'
Satisfied with the setup, she revokes SSH access to the web server group.
PROMPT> ec2-revoke apache -P tcp -p 22 -s 126.52.1.130/32

10

Mary repeats these steps to create the database server group and to grant access between the application server and database server groups.

Related Topics

Network Security Concepts

previous page start next page

1	Albert launches a copy of his favorite public AMI. `PROMPT>` ec2-run-instances ami-eca54085 RESERVATION r-a034c7c9 924417782495 default INSTANCE i-cfd732a6 ami-eca54085 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c
2	After a little wait for image launch to complete. Albert, who is a cautious type, checks the access rules of the default group. `PROMPT>` ec2-describe-group default GROUP 598916040194 default default group PERMISSION default ALLOWS all FROM USER 598916040194 GRPNAME default Albert notices that it only accepts ingress network connections from other members of the default group for all protocols and ports.
3	Albert, being paranoid as well as cautious, uses the Linux and UNIX `nmap` command to port scan his instance. `$` nmap -P0 -p1-100 ec2-67-202-51-105.compute-1.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST All 100 scanned ports on ec2-67-202-51-105.compute-1.amazonaws.com (67.202.51.105) are: filtered Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds
4	Albert decides he should be able to SSH into his instance, but only from his own machine. `PROMPT>` ec2-authorize default -P tcp -p 22 -s 126.52.1.130/32 GROUP default PERMISSION default ALLOWS tcp 22 22 FROM CIDR 126.52.1.130/32
5	Albert repeats the Linux and UNIX `nmap` port scan. `$` nmap -P0 -p1-100 ec2-67-202-51-105.compute-1.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:43 SAST Interesting ports on ec2-67-202-51-105.compute-1.amazonaws.com (67.202.51.105): (The 99 ports scanned but not shown are in state: filtered) PORT STATE SERVICE 22/tcp open ssh Nmap finished: 1 IP address (1 host up) scanned in 32.705 seconds Albert is happy (or at least less paranoid).

1	First, Mary creates a group for her Apache web server instances and allows HTTP access to the world. `PROMPT>` ec2-add-group apache -d "Mary's Apache group" GROUP apache Mary's Apache group `PROMPT>` ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group `PROMPT>` ec2-authorize apache -P tcp -p 80 -s 0.0.0.0/0 GROUP apache PERMISSION apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0 `PROMPT>` ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group PERMISSION 598916040194 apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0
2	Mary launches seven instances of her web server AMI as members of the `apache` group. `PROMPT>` ec2run ami-fba54092 -n 7 -g apache RESERVATION r-0592776c 598916040194 default INSTANCE i-cfd732a6 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732a7 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732a8 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732a9 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732aa ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732ab ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c INSTANCE i-cfd732ac ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 us-east-1c `PROMPT>` ec2din i-cfd732a6 RESERVATION r-0592776c 598916040194 INSTANCE i-cfd732a6 ami-fba54092 ec2-67-202-51-245.compute-1.amazonaws.com running 0 m1.small 2007-07-11T16:40:44+0000
3	Being as paranoid as Albert, Mary uses the Linux and UNIX `nmap` command to confirm the permissions she just configured. `$` nmap -P0 -p1-100 ec2-67-202-51-245.compute-1.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 16:21 SAST Interesting ports on ec2-67-202-51-245.compute-1.amazonaws.com (67.202.51.245): (The 99 ports scanned but not shown are in state: filtered) PORT STATE SERVICE 80/tcp open http Nmap finished: 1 IP address (1 host up) scanned in 33.409 seconds
4	Mary verifies her web server can be reached. `$` telnet ec2-67-202-51-245.compute-1.amazonaws.com 80 Trying 67.202.51.245... Connected to ec2-67-202-51-245.compute-1.amazonaws.com (67.202.51.245). Escape character is '^]'. Mary can reach her web server.
5	Mary creates a separate group for her application server. `PROMPT>` ec2-add-group appserver -d "Mary's app server" GROUP appserver Mary's app server
6	Mary starts twenty instances as members of `appserver` group. `PROMPT>` ec2run ami-e3a5408a -n 20 -g appserver
7	Mary grants network access between her web server group and the application server group. `PROMPT>` ec2-authorize appserver -o apache -u AIDADH4IGTRXXKCD GROUP appserver PERMISSION appserver ALLOWS all FROM USER AIDADH4IGTRXXKCD GRPNAME apache
8	Mary verifies access to her app server is restricted by port scanning one of the application servers using the Linux and UNIX `nmap` command. `$` nmap -P0 -p1-100 ec2-67-202-51-162.compute-1.amazonaws.com Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST All 100 scanned ports on ec2-67-202-51-162.compute-1.amazonaws.com (67.202.51.162) are: filtered Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds
9	Mary confirms that her web servers have access to her application servers. She (temporarily) grants SSH access from her workstation to the web server group: `PROMPT>` ec2-authorize apache -P tcp -p 22 -s 126.52.1.130/32 She logs in to one of her web servers and connects to an application server on TCP port 8080. `$` telnet ec2-67-202-51-162.compute-1.amazonaws.com 8080 Trying 67.202.51.162... Connected to ec2-67-202-51-162.compute-1.amazonaws.com (67.202.51.162). Escape character is '^]' Satisfied with the setup, she revokes SSH access to the web server group. `PROMPT>` ec2-revoke apache -P tcp -p 22 -s 126.52.1.130/32
10	Mary repeats these steps to create the database server group and to grant access between the application server and database server groups.