Security in AWS VPC

Layered Security

• Security At Subnet
• Security At Network Interface

Network ACL

• Is Security at subnet level.
• Here you write rules. Rules for ALLOW and DENY can be written.
• When you create a VPC, a default NACL is created which allows everything in both directions.
• Here for Rules we have priority
• Rules are broken down to two kinds
  • Incoming (Inbound, Ingress)
  • Outgoing (Outbound, Egress)
• When you write a rule
  • IP Address (Source IP or Destination IP): We use CIDR ranges to enter ip address rules. For eg 100.10.0.0/16 means any machine with 100.10.x.x, 0.0.0.0/0 means anywhere, 100.100.10.10/32 means only single ip 100.100.10.10
  • Protocol: TCP/UDP/ICMP etc..
  • Port: which port number to consider
  • ACTION: ALLOW/DENY
• If you have not written the rule it becomes deny by default (bcoz of priority evaluations)
• Scope of Network ACL is VPC, it means NACLs create for one VPC cannot be used in other VPCS (you need to recreate)

NACL Rule Evaluation

• Important things to consider:
  • * is Lowest Priority
  • 100 is Highest Priority
  • Lower the number higher the priority
• Whenever incoming Traffic is recived on subnet, Evaluation starts from Highest Priority Rule in your NACL
  • Is this rules IP matching with Source IP. If no go to next rule. If yes continue
  • Is this rules Protocol matching with the request. If no got the next rule. If yes continue
  • Is this rules Port number matching with the request. If no go to the next rule. If yes continue
  • If this rules action is ALLOW/DENY, ALLOW/DENY the packet and stop process further

Security Group

• It is Security at ENI(Elastic Network Interface) Level
• Here you write rules only for ALLOW
• Rules are broken down to two kinds
  • Incoming (Inbound, Ingress)
  • Outgoing (Outbound, Egress)
• When you write a rule
  • IP Address (Source IP or Destination IP): We use CIDR ranges to enter ip address rules. For eg 100.10.0.0/16 means any machine with 100.10.x.x, 0.0.0.0/0 means anywhere, 100.100.10.10/32 means only single ip 100.100.10.10
  • Protocol: TCP/UDP/ICMP etc..
  • Port: which port number to consider
• Scope of Security Group is VPC, it means Security Group create for one VPC cannot be used in other VPCS (you need to recreate)

Exercise

• Create NACL rules which allows ssh to all incoming and everything outgoing in your vpc
• Attach NACL to all of your subnets
• Create two Security group which allows ssh and which doesnt have a rule about ssh in your vpc
• Now create a ec2 machine with allow ssh security group.
• Now create one more ec2 machine with deny ssh security group
• Check the connectivity
• In your ec2 machines install apache server

# ubuntu
sudo apt-get update
sudo apt-get install apache2 -y

# centos/redhat
sudo yum install httpd
sudo service httpd start

• try to access your server from browser http://<publicip&gt;