How to Lock Down AWS Security Groups

When I started working with Amazon Web Services (AWS), many years ago, one of the first things I noticed was that AWS sometimes uses terminology different from what I was used to as a Windows administrator. Microsoft refers virtual machines to VMs or virtual machines, while AWS refers as instances.
Sometimes however, AWS uses terms that have a completely different meaning than what a Windows administrator might think it means. One classic example is “Security Groups”.
In Microsoft-speak, a Security Group is a group whose members receive a common set permissions. For example, a security group could be used to grant permissions to a file or folder. AWS is an example of a security group.
AWS will create a new security team to manage access to the Elastic Compute Cloud instance (EC2) when you create it. You can see in Figure 1 that a Launch-Wizard-1 security group corresponds to an EC2 example. The figure also shows VPC security group, which is the default virtual private cloud.
[Click on the image to see a larger view.] Figure 1: EC2 creates a security group for each instance you create. Before you can use a security groups to lock down access to an instance, you must first determine which security group belongs. This is easiest to do by going to the console’s instances screen and selecting an instance. Next, take a look to the Description tab. Figure 2 shows that the Description tab lists the name and security group of the instance.
[Click on the image to see a larger view.] Figure 2: The description tab of an instance lists the name and security group for that instance. You can edit both the outbound and inbound rules for any security group. These rules can be accessed by going to the Security Groups Container (shown in Figure 1), selecting the security group you wish to edit, then choosing either Edit Inbound Rules, or Edit Outbound Rules from the Actions menu. Figure 3 below shows how to do this.
[Click on the image to see a larger view.] Figure 3: Choose either Edit Inbound Rules, or Edit Outbound Rules. Figure 4 shows the Edit Inbound Rules window. As you can see, one rule is created automatically. This rule allows RDP traffic to be sent over port 3389. If you want to remotely manage the instance, this rule must be in place.
[Click on the image to see a larger version.] Figure 4: This is an inbound rule that is defaulted to. Remote access is not always possible. In order to communicate with other instances and external services, an instance will often need to have rules that allow inbound traffic.
It is important not to create rules that are too permissive as you add rules. As an example, setting the source of the rule to 0.0.0.0/0 will allow inbound traffic from all IP addresses. If you want to allow the VM to receive communications via an external instance, service, or instance, the rule should refer to that service or instance’s IP address, and not just open the port to everyone.
Some servers, such as Web servers, can serve anonymous clients. For example, a Web server might accept traffic from anyone on port 80 or 443. It is dangerous to open a port to everyone, even though it might be possible. It is a better idea for a load balancer to be placed in front of the Webserver and then allow the load balancer to proxy requests to the Webserver. External clients will not be able to access the Webserver directly by doing this. Instead, the security group is configured so that inbound traffic can only be allowed to the load balancer.
The Edit Outbound Rules dialog, as shown in Figure 5, is very similar.