- Newest
- Most votes
- Most comments
You could use Flow logs to see the in and out traffic for the hosts in question to help minimise the access.
But overly, knowing how your application or system works should dictate what ports you allow in or out.
Flow Logs are a good way of achieving this. For example, you can enable them on the network interfaces that use the Security Group in question and leave them running for some time until they collect enough information about your traffic.
Currently Flow Logs can publish data to CloudWatch Logs, Amazon S3 and Kinesis Data Firehose.
Once the data has been collected, there are several ways you can analyse it. For example, use CloudWatch Logs Insights or Amazon Athena.
It should give you fairly good understanding of what ports and IPs are used. Always keep in mind that Flow Logs should run for long enough to make sure that they capture all ports and IPs that your applications may need. It is better to double-check and schedule a maintenance window to apply changes to Security Groups if you are not sure and want to test how it is going to affect your workload.
Don't forget to consider the pricing when collecting a lot of data with the help of Flow Logs.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago