1. What's Security Groups
โถ Security Groups are the fundamental of network security.
โถ They control how traffic is allowed into or out of our EC2 Instances.
โญ Security groups only contain allow rules
- ํ์ฉ๊ท์น๋ง ํฌํจ๋๋ฏ๋ก ๋ฌด์์ด ๋ค์ด๊ฐ๊ณ ๋๊ฐ๋ ์ง ์ ์ ์๋ค.
โญ Security groups rules can reference by IP or by security group or other security groups
- ๋ณด์ ๊ทธ๋ฃน์ IP์ฃผ์๋ฅผ ๊ธฐ์ค์ผ๋ก ๊ท์น์ ์์ฑํ๋ค.
- ๋๋ ๋ค๋ฅธ ๋ณด์ ๊ทธ๋ฃน์ ์ฐธ์กฐํ์ฌ ์ค์ ํ ์ ์๋ค. (๋ณด์๊ทธ๋ฃน์ ์๋ก ์ฐธ์กฐ ๊ฐ๋ฅ)
[Example]
We are using computer on the public Internet and trying to access to EC2 Instance
- Whether EC2 Instance can perform Inbound traffic andOut bound traffic.
2. Security Groups
โถ Security groups are acting as a "firewall" on EC2 instances.
โถ Regulate
- Access to Ports
- Authorised IP ranges - IPv4 and IPv6
- Control of inbound network (from other to the instance)
- Control of outbound network (from the instance to other)
3. Security Groups Diagram (How firewall works)
โถ Here's EC2 Instance which has one inbound rule and outbound rule in single security group attached to it.
Inbound
โถ case1_My computer is authorized on port 22 -> traffic can go thru EC2 Instance
โถ case2_Someone else's computer that is not using my IP address -> traffic can't go thru EC2 Instance
by Firewall, and It will be TimeOut
Outbound
โถ case3_ by default allowing any traffic going out of EC2 Instance
- So if EC2 Instance is trying to access any web site and initiate connection it's allowed by the Security group.
4. Security Groups - Details
โถ Can be attached to multiple instances.
- There's not a one-to-one relationship between security groups.
โถ An Instance can have multiple secutiry groups.
โถ Locked down to a region / VPC combination
- ๋ฐ๋ผ์ ๋ค๋ฅธ ์ง์ญ์ผ๋ก ์ ํํ๊ฑฐ๋, ๋ค๋ฅธ VPC ์์ฑํ๋ฉด ๋ณด์ ๊ทธ๋ฃน์ ๋ค์ ์์ฑํด์ผ ํ๋ค.
โถ Does Exist "OUTSIDE" of the EC2 - if traffic is blocked the EC2 instance won't see it.
- ํธ๋ํฝ์ด ์ฐจ๋จ๋๋ฉด EC2 ์ธ์คํด์ค๋ ํธ๋ํฝ์ ๋ณผ ์๊ฐ ์๋ค.
- EC2 ์์ ์คํ๋๋ ์ ํ๋ฆฌ์ผ์ด์ ๊ณผ๋ ๋ค๋ฅด๋ฉฐ ์ค์ ๋ก๋ ์ผ์ข ์ EC2 ์ธ๋ถ์ ๋ฐฉํ๋ฒฝ์ด๋ค.
โถ If your application is not accessible (time out), then i t's a security group issue.
- ๋ง์ฝ์ ์์์ ํฌํธ์ ์ฐ๊ฒฐํ๋ ค๊ณ ํ๋๋ฐ ์ปดํจํฐ๊ฐ ์ ์งํ๊ณ ๋๊ธฐํ๊ณ ์๋ค๋ฉด ์๋ง๋ ๋ณด์๊ทธ๋ฃน ๋ฌธ์ ์ผ ๊ฐ๋ฅ์ฑ์ด ๋์๋ค.
โถ If your application gives a "connection refused" error, it's an application error or i t's not launched
- ํ์ง๋ง ์ฐ๊ฒฐ ๊ฑฐ๋ถ ์ค๋ฅ๊ฐ ๋ฐ์ํ๋ฉด ์ค์ ๋ก ์ฐ๊ฒฐ์ด ๊ฑฐ๋ถ๋์๋ค๋ ์๋ต์ ๋ฐ๊ฒ ๋๋ค.
- ์ค์ ๋ก๋ ๋ณด์ ๊ทธ๋ฃน์ด ์๋ํ๊ณ ํธ๋ํฝ์ด ํต๊ณผํ์ง๋ง ์ ํ๋ฆฌ์ผ์ด์ ์ด ์ค๋ฅ๊ฐ ๋๊ฑฐ๋ ์คํ๋์ง ์์ ๊ฒ์ด๋ค.
โญ SEPERATE security group for SSH access
- SSH ์ก์ธ์ค๋ฅผ ์ํด์๋ง ๋ณ๋์ ๋ณด์ ๊ทธ๋ฃน์ ํ๋ ์ ์งํ๋ ๊ฒ์ด ์ข๋ค.
โญ All inbound traffic is blocekd and All outbound traffic is authorised by default
- ๊ธฐ๋ณธ์ ์ผ๋ก ๋ชจ๋ ์ธ๋ฐ์ด๋ ํธ๋ํฝ์ ์ฐจ๋จ๋๊ณ ๋ชจ๋ ์์๋ฐ์ด๋ ํธ๋ํฝ์ ์น์ธ๋๋ค.
5. How to reference Security Group from other Security groups
โถ ๋ก๋ ๋ฐธ๋ฐ์๋ฅผ ์ฌ์ฉํ๊ธฐ ์์ํ๋ค๋ฉด ์ ๋ง ์ข์ ๊ธฐ๋ฅ
โถ Here's EC2 Instance and Secutiry Group1 attached to it.
โถ Security Group 1 has two rules allowing Authrising Security Group1 and Group2
- by doing so basically you can connect other EC2 Instance to EC2 Instance with Security Group 1 directly by Port
- Regardless of Instance's IP of EC2 Instances, because they have the right security group attached to them,
- they're able to communicate to straight thru to other Instances.
6. Classic Ports
์์์ผ ํ ํฌํธ๋ค
| Port Number | For | Explanation | |
| 22 | SSH | Secure Shell | log into a Linux |
| 21 | FTP | File Transfer Protocol | |
| 22 | SFTP | Secure File Transfer Protocol | |
| 80 | HTTP | access unsecured website | |
| 443 | HTTPS | ํ์ค ๋ณด์ ์น์ฌ์ดํธ | access secured website |
| 3389 | RDP | Remote Desktop Protocol | log into a Windows instance |
7. ์ค์ต
[EC2 Dashboard] > (Side Menu) [โผNetwork & Security] > [Security Groups]
โถ Security Group: default
โถ Security group for E2C Instance: launch-wizard-1
- ์ฌ๊ธฐ์ ์๋ launch-wizard-1์ ๋ค๋ฅธ EC2 ์ธ์คํด์ค์ ์ฒจ๋ถํ ์๋ ์๋ค.
- ์ํ๋ ๊ฐ์์ ๋ณด์ ๊ทธ๋ฃน์ ์ฒจ๋ถํ ์ ์๋ค.
- ์ฌ๋ฌ EC2 ์ธ์คํด์ค๋ฅผ ํ๋์ ๋ณด์ ๊ทธ๋ฃน์ ํ ๋นํ ์๋ ์๋ค.
โถ Inbound rules: ์ธ๋ถ์์ EC2 ์ธ์คํด์ค๋ก ์ฐ๊ฒฐํ ์ ์๊ฒ ํด์ฃผ๋ ๊ท์น
โถ Edit inbound rules
- ์ฒซ ๋ฒ์งธ๋ 22๋ฒ ํฌํธ์ SSH ๋ก์ ์ด๋์๋ ์ ์ํ ์ ์๋ค. ์ฆ, 0.0.0.0/0 = Anywhere
- ๋ ๋ฒ์งธ๋ 80๋ฒ ํฌํธ์ HTTP ๋ก ๋ง์ฐฌ๊ฐ์ง๋ก ์ด๋์์์๋ ์ ์ ๊ฐ๋ฅํ ์ธ๋ฐ์ด๋ ๊ท์น
- ๋ง์ฝ Delete ๋ฒํผ์ผ๋ก HTTP rule ๋ฅผ ์ญ์ ํ๊ณ E2C ์ธ์คํด์ค๋ฅผ ๊ตฌ๋ํ๋ฉด ๋ฌดํ๋ก๋ฉ์ด ๋๋ฉด์ ์น์๋ฒ์ ์ ์ํ ์ ์๊ฒ ๋จ.
โญโญ TIME OUT ํด๊ฒฐ๋ฒ
E2C ์ธ์คํด์ค์ ๋ํด SSH๋ HTTP ์ฟผ๋ฆฌ๋ก ์ ์์ ์๋ํ๊ณ ์์ง๋ง ์ฑ๊ณตํ์ง ๋ชปํ๊ณ ๊ฒฐ๊ตญ์ ์คํจํ๋ ๊ฒฝ์ฐ์ ํ์์์์ ๋ณด๊ฒ ๋๋ฉด ๊ทธ๊ฑด 100% EC2 ๋ณด์ ๊ทธ๋ฃน(Security Group) ๋๋ฌธ์ด๋ค.
๋ฐ๋ผ์ ๋ฐ๋์ Security Group ํญ์ผ๋ก ๊ฐ์ ๊ทธ๊ฒ๋ค์ด ์ ํํ ์ง ํ์ธํด์ผ ํ๋ค.
โญ Add rule
HTTP Rule ์ถ๊ฐ ํ๋ ๋ฒ
[Add rule] > Type: HTTP > Source : Anywhere IPv4 > Save rules
โถ outbound rules
- ๋ชจ๋ ๊ณณ์ผ๋ก ๊ฐ๋ IPv4์ ๋ชจ๋ ํธ๋ํฝ์ ํ์ฉ(full internet connection to anywhere)
