23. Security Groups

Security groups are virtual firewalls that control traffic to our EC2 instances.

Inbound rules:
Type: HTTP – Protocol: TCP – Port Range: 80 – Source: 0.0.0.0/0 (IPv4)
Type: HTTP – Protocol: TCP – Port Range: 80 – Source: ::/0 (IPv6)
Type: SSH – Protocol: TCP – Port Range: 22 – Source: 0.0.0.0/0 (IPv4)

Outbound rules:
Type: All traffic – Protocol: All – Port Range: All – Destination: 0.0.0.0/0 (IPv4)

We cannot block individual IP addresses using security groups and we cannot block an individual port. In SG, everything is blocked by default. We have to allow explicitly.

We can attach more than one SG to EC2 instance.

Commonly used ports are:
HTTP – Port 80
HTTPS – 443
FTP – 21
FTPS / SSH – 22
POP3 – 110
POP3 SSL – 995
IMAP – 143
IMAP SSL – 993
SQL Server – 1433
MySQL – 3306

Tips:
i. All inbound traffic is blocked by default
ii. All outbound traffic is allowed
iii. Changes to security group take effect immediately
iv. We can have any number of EC2 instances within a security group
v. We can have multiple SGs attached to EC2 instances.
vi. SGs are stateful
vii. If we create an inbound rule allowing traffic in, that traffic is automatically allowed back out again.
viii. We cannot block specific IP addresses using SGs, instead we use NACLs (Network Access Control Lists)
ix. We can specify allow rules, but not deny rules.

Question 1:
As a Solutions Architect, you plan to build a web application consisting of a web server and a database server. The web server and database server will be hosted on different EC2 instances, each located on a different subnet. The database server should only allow traffic from the web server.
Please choose a response to meet this requirement.
Options:
A. Control traffic with VPC endpoints
B. Control traffic with security groups
C. Control traffic with NACLs
D. Allow access from the web server to the DB server with the IAM role
Answer: B
Explanation
Security groups are a good way to control traffic between instances. You can control traffic from a particular EC2 instance by specifying the IP address of the EC2 instance within a security group. Therefore, option 2 is the correct answer.
Option 1 is incorrect. A VPC endpoint is a mechanism that allows AWS resources inside a VPC to access AWS services outside the VPC, and is not used to control traffic.
Option 3 is incorrect. Network ACLs can also control traffic, but this applies only to traffic between a subnet and the internet, not subnet to subnet communication. The security group controls the traffic on his EC2 and other instances. Therefore, security groups are the suitable solution for controlling traffic between EC2 instances.
Option 4 is incorrect. Instead of controlling the traffic from the web server to the database server with the IAM role, the security group is used for control. RDS can perform access authentication by using the database authentication function that uses the IAM role.

Question 2:
Your company has set up security groups on multiple EC2 instances. As an operations personnel, you have decided to change the access settings to your EC2 instance. You have set the security group rules to allow inbound traffic on a new port and with new protocol. You then used this security group to launch a new EC2 instance.
How will the security group settings be reflected?
Options:
A. Security group changes are immediately reflected in all EC2 instances
B. It takes time for the SG to be reflected in the EC2 instances for which the security group has been set
C. Unlike the reflection in the existing EC2 instance, the security group is reflected in the new EC2 instance immediately
D. It takes a few minutes for the security group to be reflected on all EC2 instances
Answer: A
Explanation
Security group changes and new settings are immediately reflected in all EC2 instances.
Therefore, option 1 is the correct answer.
All other options are incorrect.

Question 3:
A company has moved its business critical data to Amazon EFS file system which will be accessed by multiple EC2 instances.
As an AWS Certified Solutions Architect Associate, which of the following would you recommend to exercise access control such that only the permitted EC2 instances can read from the EFS file system? (Select three)
A. Attach an IAM policy to your file system to control clients who can mount your file system with the required permissions
B. Use VPC security groups to control the network traffic to and from your file system
C. Use Network ACLs to control the network traffic to and from your Amazon EC2 instance
D. Set up the IAM policy root credentials to control and configure the clients accessing the EFS file system
E. Use EFS Access Points to manage application access
F. Use Amazon GuardDuty to curb unwanted access to EFS file system
Answer: A, B & E
Explanation
Correct options:
Use VPC security groups to control the network traffic to and from your file system
Attach an IAM policy to your file system to control clients who can mount your file system with the required permissions
Use EFS Access Points to manage application access
You control which EC2 instances can access your EFS file system by using VPC security group rules and AWS Identity and Access Management (IAM) policies. Use VPC security groups to control the network traffic to and from your file system. Attach an IAM policy to your file system to control which clients can mount your file system and with what permissions, and use EFS Access Points to manage application access. Control access to files and directories with POSIX-compliant user and group-level permissions.
Files and directories in an Amazon EFS file system support standard Unix-style read, write, and execute permissions based on the user ID and group IDs. When an NFS client mounts an EFS file system without using an access point, the user ID and group ID provided by the client is trusted. You can use EFS access points to override user ID and group IDs used by the NFS client. When users attempt to access files and directories, Amazon EFS checks their user IDs and group IDs to verify that each user has permission to access the objects
Incorrect options:
Use Network ACLs to control the network traffic to and from your Amazon EC2 instance – Network ACLs operate at the subnet level and not at the instance level.
Set up the IAM policy root credentials to control and configure the clients accessing the EFS file system – There is no such thing as an IAM policy root credentials and this statement has been added as a distractor.
Use Amazon GuardDuty to curb unwanted access to EFS file system – Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. It cannot be used for access control to the EFS file system.

Question 4:
The engineering team at an e-commerce company is working on cost optimizations for EC2 instances. The team wants to manage the workload using a mix of on-demand and spot instances across multiple instance types. They would like to create an Auto Scaling group with a mix of these instances.
Which of the following options would allow the engineering team to provision the instances for this use-case?
• You can only use a launch configuration to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
• You can use a launch configuration or a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
• You can neither use a launch configuration nor a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
• You can only use a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost (Correct)
Explanation
Correct option:
You can only use a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
A launch template is similar to a launch configuration, in that it specifies instance configuration information such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, security groups, and the other parameters that you use to launch EC2 instances. Also, defining a launch template instead of a launch configuration allows you to have multiple versions of a template.
With launch templates, you can provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost. Hence this is the correct option.
Incorrect options:
You can only use a launch configuration to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
You can use a launch configuration or a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
A launch configuration is an instance configuration template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping.
You cannot use a launch configuration to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances. Therefore both these options are incorrect.
You can neither use a launch configuration nor a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost – You can use a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances. So this option is incorrect.

Question 5:
A developer has configured inbound traffic for the relevant ports in both the Security Group of the EC2 instance as well as the Network Access Control List (NACL) of the subnet for the EC2 instance. The developer is, however, unable to connect to the service running on the Amazon EC2 instance.
As a solutions architect, how will you fix this issue?
• IAM Role defined in the Security Group is different from the IAM Role that is given access in the Network ACLs
• Security Groups are stateful, so allowing inbound traffic to the necessary ports enables the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic (Correct)
• Rules associated with Network ACLs should never be modified from command line. An attempt to modify rules from command line blocks the rule and results in an erratic behavior
• Network ACLs are stateful, so allowing inbound traffic to the necessary ports enables the connection. Security Groups are stateless, so you must allow both inbound and outbound traffic
Explanation
Correct option:
Security Groups are stateful, so allowing inbound traffic to the necessary ports enables the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic – Security groups are stateful, so allowing inbound traffic to the necessary ports enables the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic.
To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client’s source port.
The designated ephemeral port then becomes the destination port for return traffic from the service, so outbound traffic from the ephemeral port must be allowed in the network ACL.
By default, network ACLs allow all inbound and outbound traffic. If your network ACL is more restrictive, then you need to explicitly allow traffic from the ephemeral port range.
If you accept traffic from the internet, then you also must establish a route through an internet gateway. If you accept traffic over VPN or AWS Direct Connect, then you must establish a route through a virtual private gateway.
Incorrect options:
Network ACLs are stateful, so allowing inbound traffic to the necessary ports enables the connection. Security Groups are stateless, so you must allow both inbound and outbound traffic – This is incorrect as already discussed.
IAM Role defined in the Security Group is different from the IAM Role that is given access in the Network ACLs – This is a made-up option and just added as a distractor.
Rules associated with Network ACLs should never be modified from command line. An attempt to modify rules from command line blocks the rule and results in an erratic behavior – This option is a distractor. AWS does not support modifying rules of Network ACLs from the command line tool.

Question 6:
A silicon valley based startup has a two-tier architecture using EC2 instances for its flagship application. The web servers (listening on port 443), which have been assigned security group A, are in public subnets across two Availability Zones and the MSSQL based database instances (listening on port 1433), which have been assigned security group B, are in two private subnets across two Availability Zones. The DevOps team wants to review the security configurations of the application architecture.
As a solutions architect, which of the following options would you select as the MOST secure configuration? (Select two)
A• For security group B: Add an inbound rule that allows traffic only from security group A on port 1433
B• For security group B: Add an inbound rule that allows traffic only from security group A on port 443
C• For security group A: Add an inbound rule that allows traffic from all sources on port 443. Add an outbound rule with the destination as security group B on port 1433
D• For security group B: Add an inbound rule that allows traffic only from all sources on port 1433
E• For security group A: Add an inbound rule that allows traffic from all sources on port 443. Add an outbound rule with the destination as security group B on port 443
Answer: A & C
Explanation
Correct options:
For security group A: Add an inbound rule that allows traffic from all sources on port 443. Add an outbound rule with the destination as security group B on port 1433
For security group B: Add an inbound rule that allows traffic only from security group A on port 1433
A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you can specify one or more security groups; otherwise, we use the default security group. You can add rules to each security group that allows traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. When we decide whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups that are associated with the instance.
The following are the characteristics of security group rules:
By default, security groups allow all outbound traffic.
Security group rules are always permissive; you can’t create rules that deny access.
Security groups are stateful
The MOST secure configuration for the given use case is:
For security group A: Add an inbound rule that allows traffic from all sources on port 443. Add an outbound rule with the destination as security group B on port 1433
The above rules make sure that web servers are listening for traffic on all sources on the HTTPS protocol on port 443. The web servers only allow outbound traffic to MSSQL servers in Security Group B on port 1433.
For security group B: Add an inbound rule that allows traffic only from security group A on port 1433. The above rule makes sure that the MSSQL servers only accept traffic from web servers in security group A on port 1433.
Therefore, both of these options are correct.
Incorrect options:
For security group A: Add an inbound rule that allows traffic from all sources on port 443. Add an outbound rule with the destination as security group B on port 443 – As the MSSQL based database instances are listening on port 1433, therefore for security group A, the outbound rule should be added on port 443 with the destination as security group B.
For security group B: Add an inbound rule that allows traffic only from all sources on port 1433 – The inbound rule should allow traffic only from security group A on port 1433. Allowing traffic from all sources will compromise security.
For security group B: Add an inbound rule that allows traffic only from security group A on port 443 – The inbound rule should allow traffic only from security group A on port 1433 because the MSSQL based database instances are listening on port 1433.