By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Does AWS Security Group Rule Order Matter?

0

I want to evaluate the hit count per security group rule, but I'm not sure if the order of the security group rules affects the evaluation or not.

In addition, I would like to know how the evaluation order and evaluation status are handled when multiple security groups are applied.

According to an answer in the following link, it was written that when multiple security groups are evaluated, they are aggregated into one security group rule set. (I couldn't check the original text because the link of the answer was archived.)

https://serverfault.com/questions/483938/multiple-ec2-security-groups-permissive-or-restrictive

The purpose of measuring hit count is to remove unnecessary items as much as possible by measuring the frequency of use of security groups or security group rules. (I am trying to analyze the vpc flow log.)

If the order of the security group rules is important, I will ignore the action (ACCEPT, DENIED) for a specific traffic when defining the hit count and only check whether the evaluation has proceeded.

If the order of the security group rules doesn't matter (if all security group rules are evaluated each time), I'm going to define the hit count as the frequency with which a particular security group rule ACCEPTs traffic.

If you have any thoughts on the definition of security groups and security group rules hit count would also be greatly appreciated.

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCSecuritySecurity GroupVPC Flow Logs
Language
English
rePost-User-5004268
asked a year ago693 views
1 Answer
1

In short, the answer is no. If there is one rule in the security group that allows a type access, that rule will take precedence over any rules that deny or limit access, regardless of order. The same is true if you have multiple security groups associated with a resource. The most permissive rule across all the groups is the one that will be applied.

If you want rules evaluated in a certain order, consider using a Network Access Control List (NACL) to do so. See more about NACLs in the documentation.

You can enable VPC Flow Logs to log traffic going in and out of your VPC to specific resources.

AWS
GrantAWS
answered a year ago
  • rePost-User-5004268
    a year ago

    Sorry for late comments.

    I want to know about the case where multiple security group rules allow access. (both inclusive and overlapping)

    For example, let's say we have security group rules A, B, and C. "a" allows ports 1000-2000. (inclusive) "A" allows ports 1000-3000. "B" allows ports 1500-9000. (overlapping with A)

    If I understand "most permissive" in your answer correctly, it seems that only security group rule A will be evaluated for traffic on port 1050, and only security group rule B will be evaluated for traffic on port 1980. Is that correct? Still doesn't the order of security groups or security group rules matter?

    (As explained in the main text, my ultimate goal is to get numbers for redundant or unnecessary security group rules. Unfortunately NACL is not a concern, as I want to provide a consultant function that optimizes the current user's security groups.)

  • GrantAWS
    a year ago

    Hello. Can you clarify the intent of the rules? SG rules only allow, they don't deny so 3 different rules that allow HTTP to different port ranges cover the ports across all rules even if the same range is covered more than once. The order doesn't matter. If there is one rule or many allowing a certain type of traffic via port 1980, that traffic will be allowed. Order does not matter since there are no denies, only allows. Think of it in binary terms, something is either allowed or it is not. If you say it's allowed 3 times it's still allowed. Ordering matters for something like a NACL, because it can deny traffic so if there is an allow and a deny the system needs to know which one has precedence. That isn't the case when rules only allow.

  • rePost-User-5004268
    a year ago

    Hello. I have a client group of multiple developers with permission to edit security group rules. They have no regard for the security group rules used by each other. Some security groups overlap with each other, and some security rules are created for testing purposes and then left unused. So their administrators want to periodically remove unnecessary security group rules. I have access to their VPC Flow Logs, and since my mission is to provide a service that optimizes their security groups, consulting such as suggesting the use of NACL is beyond my scope.

    I've assumed that there are two security group rules where the port range is inclusive of either one and traffic is included in the port range of both rules. I would have expected that if the security group rules were evaluated one by one, the first rule would produce an ACCEPT result in traffic, and the next rule would not be used at all, even though it could also produce an ACCEPT result. ("Used" here means making an ACCEPT or DENY roll. Not being used does not make a DENY roll.)

    In other words, what I'm interested in is not how the order of security group rules affects whether traffic is allowed or not, but whether certain group rules are evaluated and groups not yet evaluated when traffic is allowed. I sincerely apologize if my first question was vague.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content