AWS SG – Some best practices

Tìm hiểu một vài AWS SG – Some best practices

Share Everywhere

Table of contents

SG rule:

  • Rules don’t deny access, they permit access based on ports and protocols
  • Depending on the type, you may associate several groups to one instance, which the EC2 will treat effectively as a single ruleset.
  • You can change security group rules anytime. The EC2 will automatically implement them to the associated instances.
  • If there are several rules for one port, the AWS applies the most permissive or weakest rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1, and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22.

Some best practices:

  • Restrict outbound traffic to specific destinations or ports. This ensures that the cloud data doesn’t go anywhere they aren’t supposed to be.
  • Prevent inbound traffic from 0.0.0.0/0, which allows any IP address to be a source. This makes your data more vulnerable to hacking, DDoS attacks, and other threats that may enter the cloud.
  • Enable flow logging on your cloud. This allows you to track all traffic going in and out of each instance. You’ll also be able to check for security groups that need their rules changed, such as those that permit access from unknown IP addresses.
  • Limit access to ports 445 and 20/21 to authorized parties only. Port 445, which is usually for Common Internet File System or CIFS protocol use, can allow outsiders to access your data through the internet. Likewise, ports 20/21 are often used for File Transfer Protocol or FTP, which lets users download files online.

Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html

Bạn thấy bài viết này như thế nào?
0 reactions

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.

Bài viết liên quan

Khám phá FinOps

Khám phá FinOps - công nghệ đám mây

Nhiều doanh nghiệp ngày nay lựa chọn chuyển sang công nghệ đám mây với hi vọng đạt được lợi thế cạnh tranh so với đối thủ nhờ tiềm năng về hiệu quả cao và tiết kiệm chi phí hơn của công nghệ này.
Microservices Roadmap

Microservices Roadmap

- Kafka, RabbitMQ, Amazon SQS: Efficient and reliable message brokers for seamless communication between microservices.
The Data Analyst Roadmap

The Data Analyst Roadmap

**Database Knowledge**: Gain proficiency in working with databases like MySQL, PostgreSQL, or MongoDB.
Architectural patterns in software design

Architectural patterns in software design

Choose the architecture that aligns with your application's unique needs and goals. Each pattern offers a tailored approach to elevate your software system!
Exploring the Technological Marvel Behind Netflix

Exploring the Technological Marvel Behind Netflix

Ever wondered about the tech wizardry that powers your binge-watching adventures on Netflix?