- 최신
- 최다 투표
- 가장 많은 댓글
But! One of my rules is that all outbound traffic is allowed. (0.0.0.0/0). Now, we have 2 ports (5600 + 5700) that should only be released to a specific /32 address. These ports should be restricted to all other IP addresses.
I think that for that instance, one security group rule is going to have to turn into five security group rules. Which is easy to do, but at the same time is ugly.
Rule 1 opens ports 0-5599 to 0.0.0.0/0
Rule 2 opens port 5600 to single /32 address
Rule 3 opens ports 5601-5699 to 0.0.0.0/0
Rule 4 opens port 5700 to single /32 address
Rule 5 opens ports 5701-65535 to 0.0.0.0/0
I can't see another way of doing it, like you say once you open 0-65535 to all hosts you can't then tighten it up again only for specific address(es).
Why not only ALLOW access on the /32 HOST from specific sources ONLY instead of manging the outbound from an EC2?
Trust is good, control is better :)
You should place the security control as close to the resource you wish to protect than trusting you’ve secured a host far away.
Hello.
If you want to change the settings for each EC2, please edit the outbound rules of the security group.
https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html
If you want to control on a subnet basis, set outbound rules for the network ACL.
Network ACLs are stateless settings, so you need to set permissions in outbound rules and allow return traffic in inbound rules.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Isn't it okay to just delete the "0.0.0.0/0" rule? Or how about making the "0.0.0.0/0" rule more detailed and allowing only the necessary protocols? For example, wouldn't it be better to set "0.0.0.0/0" to only allow HTTP and HTTPS?
Thanks for your answer!
Yes, i need this change of one ec2-instance. We have to edit the security rules of this instance.
But! One of my rules is that all outbound traffic is allowed. (0.0.0.0/0). Now, we have 2 ports (5600 + 5700) that should only be released to a specific /32 address. These ports should be restricted to all other IP addresses.
Now, when I add these rules, this rule will not be honored because AWS takes the most tolerant rule. And this says, all data traffic is released to 0.0.0.0/0.
So I have to give the rule with the 2 ports more weight. But how?
Yes, that's exactly what I did too. For a single instance it's ok. But it would be much better if there could be weighting in the security groups, like with the VPC ACLs.
Agree with Steve’s answer here however it will become unmanageable if you expand these rules over time.