AWS security is a shared responsibility. While AWS maintains responsibility for security of the cloud, the customer is responsible for security in the cloud. A variety of tools and services are available, from AWS and other vendors, to help you to meet your security and compliance objectives. AWS Security Groups, in particular, help you secure your Amazon EC2 resources.
An AWS security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Both inbound and outbound rules control the flow of traffic to and traffic from your instance, respectively.
AWS Security Groups help you secure your cloud environment by controlling how traffic will be allowed into your EC2 machines. With Security Groups, you can ensure that all the traffic that flows at the instance level is only through your established ports and protocols.
When launching an instance on Amazon EC2, you need to assign it to a particular security group. You can add rules to each security group that allow traffic to or from designated services including associated instances.
Like whitelists, security group rules are always permissive. It’s not possible to create rules that deny access. For example, you may have traffic coming from an Elastic Load Balancer (ELB) to a subnet with web servers. You AWS Security Group can list that ELB as their sole permitted source.
Security groups are stateful, which means that if an inbound request passes, then the outbound request will pass as well.
You can specify one or more security groups for each EC2 instance, with a maximum of five per network interface. Additionally, each instance in a subnet in your VPC can be assigned to a different set of security groups. In allowing traffic to reach an instance, Amazon EC2 evaluates all of the rules from all of the security groups associated.
Once rules are added or modified, they will be automatically applied to all instances that are associated with the security group.
With tools like CloudGuard, you can visualize your cloud security posture at the infrastructure level (VPCs, security groups, EC2 and RDS instances, Amazon S3 buckets, Elastic Load Balancers, etc.) and interactively detect configuration drift.
A network access control list (NACL) is an additional way to control traffic in and out of one or more subnets. Unlike AWS Security Groups, NACLs are stateless, so both inbound and outbound rules will get evaluated. Network ACLs can be set up as an optional, additional layer of security to your VPC.
AWS Firewall Manager allows you to centrally configure and manage your firewall rules across AWS accounts and applications. On July 8, 2020, AWS Firewall Manager launched, “new pre-configured rules to help customers audit their VPC security groups and get detailed reports of non-compliance from a central administrator account. This feature makes it easier for customers to centrally audit their security groups,” while “taking away the heavy-lifting of configuring custom audit checks manually.”
Like any point solution, AWS Security groups are unlikely to meet all security requirements for most organizations. It’s possible to maintain your own firewall on any of your instances.
Checkpoint CloudGuard platform is a cloud native security solution for Amazon AWS environments. CloudGuard Cloud Network Security provides advanced threat prevention and automated network security with unified management across cloud and on-prem environments. CloudGuard also extends as a security orchestration platform that offers visibility and management into the security posture (CSPM), compliance automation and intrusion detection in the public cloud.
CloudGuard has a native API integration with Amazon Security Hub to provide enhanced visibility into vulnerabilities in an organization’s cloud security and compliance posture from a consolidated security console.
CloudGuard Cloud Network Security actively prevents cyber-attacks and network vulnerabilities and feeds these threat alerts into the AWS Security Hub console. This continuous threat prevention is driven by the platform’s native firewall, IPS, application control, IPsec VPN, antivirus and anti-both capabilities.
Cloud security posture management delivered through Cloudguard helps you visualize your cloud security posture at the infrastructure level (VPCs, security groups, EC2 and RDS instances, Amazon S3 buckets, Elastic Load Balancers, etc.) With CloudGuard, you can interactively detect configuration drift, assess impact of new vulnerabilities and spot firewall rule misconfigurations quickly.