AWS Security Groups' Best Practices

AWS Security Groups

Create a small number of security groups that can be combined together to create the desired security configuration. We recommend having a generic group for a resource of each type with all common rules, and a specific group for each individual resource with the particularities.

Recommended Security Groups:

  • A generic default group for each resource type: these groups are used to hold default groups that apply to the type of resource, for example, the SSH access to EC2 instances from a fixed administration IP address or the access to the database port for administration from a fixed administration IP.
    Examples:
    • ditwl-sg-rds-mariadb-def: default security group for all the MariaDB RDS resources. It is specific for MariaDB RDS resources as another type of database will use a different port.
    • ditwl-sg-ec2-def: default security group for all EC2 instances. It will have the SSH access rule.
  • A specific group for each resource:  It is recommended to have a group for each resource, it will be named using part of the resource name and the prefix will have the cloud and the resource type. Examples:
    • ditwl-aws-sg-rds-mariadb-pro-pub-01: security group for all the MariaDB RDS resources.
    • ditwl-sg-ec2-pro-pub-01: security group for all the WP EC2 instances.

Avoid creating too many groups and don’t use CIDR as a source (except for Internet as a source). It is better to use groups as a source, that way an element gets access to other resources by being a member of a group, not by having a specific IP that can change.

Leave a Reply

Your email address will not be published. Required fields are marked *


Related Cloud Tutorials

Control traffic to AWS resources using security groups
How to configure and use the Terraform aws_security_group and aws_security_group_rule resource blocks to create and manage AWS Security Groups and secure the infrastructure.
AWS Routing Tables with Terraform
How to configure and use the Terraform aws_route_table, aws_route, and aws_main_route_table_association resource blocks to create and manage AWS Routing Tables.
AWS NAT Gateway
How to configure and use the Terraform aws_nat_gateway and aws_eip resource blocks to create and manage AWS NAT Gateway and its corresponding Public IPs inside each availability zone to enable Internet access from instances in private subnets.
An AWS NAT Gateway is a managed service that allows instances in a private subnet to connect to the Internet while keeping them secure. It provides network address translation (NAT) for outbound traffic, allowing resources in a private subnet to access the internet while maintaining a private IP address.
AWS Internet Gateway
How to configure and use the Terraform aws_internet_gateway resource block to create and manage AWS Internet Gateway inside a VPC to enable instances access to and from the Internet.
Javier Ruiz Cloud and SaaS Expert

Javier Ruiz

IT Wonder Lab tutorials are based on the diverse experience of Javier Ruiz, who founded and bootstrapped a SaaS company in the energy sector. His company, later acquired by a NASDAQ traded company, managed over €2 billion per year of electricity for prominent energy producers across Europe and America. Javier has over 25 years of experience in building and managing IT companies, developing cloud infrastructure, leading cross-functional teams, and transitioning his own company from on-premises, consulting, and custom software development to a successful SaaS model that scaled globally.

Are you looking for cloud automation best practices tailored to your company?

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram