Skip to content

EC2 Security Groups

Jump to bottom Edit New page
powdahound edited this page Sep 13, 2010 · 3 revisions

Security is important for any machine hooked up to any network at any time. Hardening servers is that much more important, and locking down when dealing with cloud computing sets up a new set of challenges, right along with those already faced in shared or managed hosting environments.

Amazon’s EC2 cloud has a built-in firewall capability that is easy to setup. It is based on the concept of security groups. A security group is simply a group of access rules that apply to any instance which is a member of that group. These rules specify what machines are allow to connect to members of that group.

A typical real world example would be a “database” group that needs to allow access to the “web” group. The “web” group needs to allow access to the public internet on port 80.

Poolparty supports EC2 security groups, and allows you to easily take advantage of them to provide an additional layer of access control. This is an excerpt of a Poolparty recipe that shows the web cloud → database cloud scenario described above:


pool :app do
  cloud :web do
    security_group 'web'
    ...
  end

  cloud :db do
    security_group 'database'
    ...
  end
end

So now, we need to tell EC2 about these groups, and what the access rules are for them.

First, we need to create the web group, and allow public web browsers to connect to it on port 80. We also need to allow the Poolparty to access ports 22, for SSH. Lastly, we like to open ICMP (ping) port.




ec2-add-group web -d "Web server group"
ec2-authorize -p 80 web
ec2-authorize -p 22 web
ec2-authorize -P icmp -t -1:-1 web

Next, we need to create the database group:




ec2-add-group database -d "Database server group"
ec2-authorize -p 22 database
ec2-authorize -P icmp -t -1:-1 database

Last, we need to tell the database server group to allow the web server group to connect to it:




ec2-authorize database -o web -u 123456789123

Note the “-u” parameter above needs to be YOUR Amazon account number. Ugly, but true.

Once you have done all this, you are ready to start up your clouds within the protection of Amazon’s EC2 security groups. Note this is just one layer of security, and is no substitute for a complete security hardening.

Here are a few useful links to help if you want to learn more:

EC2 Security Concepts

Amazon’s Elastic Compute Cloud [EC2]: Initial Thoughts on Security Implications

EC2 Security Group Authorization Examples

Add a custom footer
Add a custom sidebar
Clone this wiki locally