Tuesday, 22 June 2010

Amazon EC2 - Security Groups don't work the way you expect

Nested security groups, sounds great, exactly what you need to organise you security rules. However doesn't appear to work as you would expect, as the grouping concept work in other software products.

So far I don't fully understand how it is supposed to work and not found that key piece of documentation either. What I do understand at present is that rules within nested security groups (that are not applied to any EC2 instances) do not apply to an EC2 instance that has the parent group applied.

For example if I had a security group called 'sec-group-A' which contains 'sec-group-B' and 'sec-group-B' has one rule that allowed RDP from 0.0.0.0/0. Now apply 'sec-group-A' to an EC2 instance (a windows instance), you will not be able to connect using RDP. If you add the RDP allow rule directly to 'sec-group-A' it will.

So what is the point of grouping - obviously there is a usage? When used within another group they are treated as tags which identify other EC2 instances (?)

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?concepts-security.html

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?using-network-security.html

http://somic.org/2009/09/21/security-groups-most-underappreciated-feature-of-amazon-ec2/

http://developer.amazonwebservices.com/connect/thread.jspa?threadID=36513

http://www.shlomoswidler.com/2009/06/tagging-ec2-instances-using-security_30.html

http://aws.typepad.com/aws/2010/06/building-three-tier-architectures-with-security-groups.html

No comments: