Concepts
Security Groups
A security group is a named collection of access rules. These access rules specify which ingress, i.e.
incoming, network traffic should be delivered to your instance. All other ingress traffic will be
discarded.
A group's rules may be modified at any time. The new rules are automatically enforced for all running,
as well as for subsequently launched, instances affected by the change in rules.
Note: Currently there is a limit of one hundred rules per group.
Group Membership
When an AMI instance is launched it may be assigned membership to any number of groups.
If no groups are specified, the instance is assigned to the "default" group. This group can be modified,
by you, like any other group you have created. Be default, this group allows all network traffic from
other members of the "default" group and discards traffic from other IP addresses and groups.
Group Access Rights
The access rules define source based access either for named security groups or for IP addresses, i.e.
CIDRs. For CIDRs you may also specify the protocol and port range (or ICMP type/code).
Amazon EC2
Developer Guide
15
Examples
We illustrate the use of the Amazon EC2 firewall in the following two examples. Note that we use the
command line tools throughout the examples. The same results can be achieved using the SOAP API.
Default Group
1. Albert launches a copy of his favourite public AMI
$ ec2-run-instances ami-eca54085
RESERVATION 01927768 598916040194
INSTANCE cfd732a6 ami-eca54085 pending
2. After a little wait for image launch to complete, Albert, who is a cautious type, checks the access
rules of the default group
$ ec2-describe-group default
GROUP 598916040194 default default group
PERMISSION default ALLOWS all FROM USER
598916040194 GRPNAME default
and notices that it only accepts ingress network connections from other members of the default group
for all protocols and ports.
3. Albert, being paranoid as well as cautious, port scans his instance
$ nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42
SAST
All 100 scanned ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
(216.182.228.116) are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 31.008 seconds
4. Albert decides he should be able to SSH into his instance, but only from his own machine
$ ec2-authorize default -P tcp -p 22 -s 192.168.1.130/32
GROUP default
PERMISSION default ALLOWS tcp 22 22 FROM
CIDR 192.168.1.130/32
5. Repeating the port scan
$ nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:43
SAST
Interesting ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
(216.182.228.116):
(The 99 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
Nmap finished: 1 IP address (1 host up) scanned in 32.705 seconds
Albert is happy (or at least less paranoid).
Three Tier Web Service
Mary wishes to deploy her public, fault tolerant, three tier web service in Amazon EC2. Her grand plan
is to have her web tier start off executing in seven instances of ami-fba54092, her application tier
executing in twenty instances of ami-e3a5408a, and her multi-master database in two instances of
Amazon EC2
Developer Guide
16
Previous Page Next Page