Questions tagged with Security Group

Hi all, Last 2 weeks i am facing Remote desktop connection problem. I am new in AWS. A few day back, I had received an account suspension mail because of payment due. I made all the payment done. Now i am getting this error on login with RDP. "RDP credential were use to connect did not work, please enter new credential " During this I followed some steps to solve the error: 1.) My Security Group setting:- Inbound rules are:- Http, Https, SSH, RDP, all TCP, All Traffic, Custom TCP for IPV4 and IPV6. Outbound Rules are: All Traffic, HTTP, Custom TCP, HTTPS, SSH for IPV4 and IPV6. 2.) IAM Manager :- Create Role for AmazonEc2RoleforSSM Policy This My Inline Policy ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": [ "arn:aws:ssm:us-east-2:939764493069:parameter/EC2Rescue/Passwords/i-063933c590287f4d2" ] } ] } ``` 3.) By using System Manager Run command, Changed the current password of windows as well but it's not working. 4.) Also Tried to ping the Public IPv4 address from the local machine but it's working. firewall also take off. 5.) Also tried changing internet service provider. I don't know what am I doing wrong. Is my account is isolated ? Is my setting is wrong? Could you please provide solution.

I recently created a new AWS account. On the EC2 Global View page (https://us-east-1.console.aws.amazon.com/ec2globalview/home) It lists : 55 subnets in 17 regions 17 security groups in 17 regions 17 VPCs in 17 regions Are these all some type of defaults for a new account? Or has my account already been hacked?

Hi, I tried to migrate my EC2-classic to VPC Before using wizard "systems-manager/automation", i have only create an new Security Group in my standalone VPC. My VPC and my EC2 server are all in Ireland, why this error ? I just use "Test" and get security group id created just before How could i resolve it ? Regards > Step fails when it is Poll action status for completion. Traceback (most recent call last): File "/tmp/6c97ba4a-da4f-4e64-9657-1340b5e9d1e1-2022-05-02-16-03-47/customer_script.py", line 186, in verifysecurityGroup raise Exception('[ERROR] Security Group and Subnet are not in same VPC') Exception: [ERROR] Security Group and Subnet are not in same VPC Exception - [ERROR] Security Group and Subnet are not in same VPC. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.

Child1SG stack: AWSTemplateFormatVersion: 2010-09-09 Description: Basic SSH Child Security Group. Resources: \ MySSHSecurityGroup1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: my new SSH Child SG SecurityGroupIngress: - IpProtocol: tcp - FromPort: '22' - ToPort: '22' - CidrIp: 0.0.0.0/0 Root Stack: AWSTemplateFormatVersion: 2010-09-09 Description: Parameter store of SG1 Resources: myStackWithParams: Type: AWS::CloudFormation::Stack Properties: **TemplateURL: https://cf-templates-o3rmx0wkf9l-us-east-1.s3.amazonaws.com/2022115bE6-Child1SG.yaml #arn** For this template URL how to pass dynamically S3 path of child .

Child1SG stack: AWSTemplateFormatVersion: 2010-09-09 Description: Basic SSH Child Security Group. Resources: MySSHSecurityGroup1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: my new SSH Child SG SecurityGroupIngress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: 0.0.0.0/0 Root Stack: AWSTemplateFormatVersion: 2010-09-09 Description: Parameter store of SG1 Resources: myStackWithParams: Type: AWS::CloudFormation::Stack Properties: TemplateURL: https://cf-templates-o3rmx0wkf9l-us-east-1.s3.amazonaws.com/2022115bE6-Child1SG.yaml #arn For this **template URL** how to pass dynamically S3 path of child .

Hello all! I have been searching the internet for this but I didn't exactly find a solution. Basically I am trying to add custom cidr ips to a security group via lambda function. I have given all the appropriate permissions (as far as i can tell) . I even tried attaching the vpc (which is non-default) to the lambda function to access the security group but the error was the same so i removed it from lambda function. But I am getting "An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user" **Below is the Policy:** ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:AuthorizeSecurityGroupIngress", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:us-west-2:xxxx:log-group:xxx:log-stream:*" } ] } ``` **Lambda function:** ``` #!/usr/bin/python3.9 import boto3 ec2 = boto3.client('ec2') def lambda_handler(event, context): response = ec2.authorize_security_group_ingress( GroupId='sg-xxxxxxx' IpPermissions=[ { 'FromPort': 443, 'IpProtocol': 'tcp', 'IpRanges': [ { 'CidrIp': '1x.1x.x.1x/32', 'Description': 'adding test cidr using lambda' }, ], 'ToPort': 443 } ], DryRun=True ) return response ``` Could someone point me to the right direction? VPC is non-defaul. All I need is to add ingress rule to an existing security group within a non-default vpc. **The error log:** ``` Test Event Name snstest Response { "errorMessage": "An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user", "errorType": "ClientError", "requestId": "7de9dce1-f2f9-4609-897e-b75ef751544e", "stackTrace": [ " File \"/var/task/lambda_function.py\", line 21, in lambda_handler\n response = ec2.authorize_security_group_ingress(\n", " File \"/var/runtime/botocore/client.py\", line 391, in _api_call\n return self._make_api_call(operation_name, kwargs)\n", " File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call\n raise error_class(parsed_response, operation_name)\n" ] } Function Logs START RequestId: 7de9dce1-f2f9-4609-897e-b75ef751544e Version: $LATEST [ERROR] ClientError: An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user Traceback (most recent call last):   File "/var/task/lambda_function.py", line 21, in lambda_handler     response = ec2.authorize_security_group_ingress(   File "/var/runtime/botocore/client.py", line 391, in _api_call     return self._make_api_call(operation_name, kwargs)   File "/var/runtime/botocore/client.py", line 719, in _make_api_call     raise error_class(parsed_response, operation_name)END RequestId: 7de9dce1-f2f9-4609-897e-b75ef751544e REPORT RequestId: 7de9dce1-f2f9-4609-897e-b75ef751544e Duration: 213.81 ms Billed Duration: 214 ms Memory Size: 128 MB Max Memory Used: 77 MB Request ID 7de9dce1-f2f9-4609-897e-b75ef751544e ```

I have an ECS Fargate service with a security group associated. This security group is only used by the Fargate service. If I decided to delete the service and the security group I'm having an error deleting the security group saying that the security group has some dependant objects. I get that this is due to the network interface created by the ECS service. What I would like to understand is how long it takes to AWS/ECS to clean these network interfaces after the services are deleted? I've tried to add a waiter after I delete the service waiting for the network interface to be gone but it is too variable and sometimes it can take more than 12 min!! Do I really need to wait until this network interface is gone to delete the security group? Is there another resource I can check to know that I can delete the security group? Is there a way to predict/make faster the deletion of the internal network interfaces created by ECS? It is quite annoying not having control over this.

Hi, can anyone help me with this error? I tried to edit security group and edit on IP. On the bottom of the list, it said Error Loading Security Group Prefix List. What caused that error? And how I can solve it? error screenshot : [Click Here](https://drive.google.com/file/d/1yiDQVUIlhY715y6cxo7gwFWjcjkeMBDM/view?usp=sharing)

We have an Aurora DB cluster with one writer instance and a couple of read replicas. According to AWS documentation it's only possible to change security groups for the cluster at whole. Indeed, when we tried to change the group for one of our read replicas that should have less strict access rules, it affected all instances in the cluster. Does anyone know if there's a way (possibly not so direct one) to assign an additional security group to a certain replica in the cluster? Help is much appreciated, thanks!

I run a small server providing web and mail services with a public address. I was planning on upgrading from a t2 small to a t3 small instance so I began testing the new environment using ubuntu 20.04. The new instance is running nginx, postfix, dovecot and has ports 22,25,80,443,587 and 993 open through two security groups assigned. I wanted to test a user which used only google-authenticator with pam/sshd to log in (no pubkey, no password). What I discovered was that after two sets of failed login attempts (intentional), my connection to the server would be blocked and I would receive a timed out message. Checking the port status with nmap shows that ports 22,80 and 443 were closed. and the remaining still open. I can still reach all the ports normally from within my vpc, but from outside, the ports are blocked. Restarting the instance or reassigning the security groups will fix the problem. Also, after about 5 minutes, the problem resolves itself. It appears that the AWS security group is the source of the block, but I can find no discussion of this type of occurrence. This isn't critical, but a bit troubling, because it opens a route for malicious actions that could block access to my instance. I have never experienced anything like this in about 7 years of running a similar server, though I never used google-authenticator with pam/sshd before. Do you have any ideas? I'd be happy to provide the instance id and security groups if needed.

I have created a CloudFormation Stack using the below template in the **us-east-1** and **ap-south-1** region AWSTemplateFormatVersion: "2010-09-09" Description: Template for node-aws-ec2-github-actions tutorial Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Sample Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: "ami-0d2986f2e8c0f7d01" #Another comment -- This is a Linux AMI InstanceType: t2.micro KeyName: node-ec2-github-actions-key SecurityGroups: - Ref: InstanceSecurityGroup BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 8 DeleteOnTermination: true Tags: - Key: Name Value: Node-Ec2-Github-Actions EIP: Type: AWS::EC2::EIP Properties: InstanceId: !Ref EC2Instance Outputs: InstanceId: Description: InstanceId of the newly created EC2 instance Value: Ref: EC2Instance PublicIP: Description: Elastic IP Value: Ref: EIP The Stack is executed successfully and all the resources are created. But unfortunately, once the EC2 status checks are initialized the Instance status check fails and I am not able to reach the instance using SSH. I have tried creating an Instance manually by the same IAM user, and that works perfectly. These are the Policies I have attached to the IAM user. Managed Policies * AmazonEC2FullAccess * AWSCloudFormationFullAccess InLine Policy { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetRole", "iam:GetInstanceProfile", "iam:DeleteRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:CreateRole", "iam:DeleteRole", "iam:UpdateRole", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListAllMyBuckets", "s3:CreateBucket", "s3:DeleteObject", "s3:DeleteBucket" ], "Resource": "*" } ] } Thanks in advance for helping out. Have a good day

Hi. I have a ec2 instance (not Lightsail) working behind a Load Balancer. Apache, PHP-FPM are installed and WordPress (or any PHP code) is working mostly fine. However if I try to run code using curl I get a 504 Gateway Timeout. WordPress Site Health also fail because of the same issue. Issues like: - Error: cURL error 28: Failed to connect to fakedomainforthispost.com port 443 after 7503 ms: Connection timed out (http_request_failed) - Your site is unable to reach WordPress.org at 198.143.164.251, and returned the error: cURL error 28: Connection timed out after 10001 milliseconds - The loopback request to your site failed, this means features relying on them are not currently working as expected. Error: cURL error 28: Failed to connect to fakedomainforthispost.com port 443 after 7503 ms: Connection timed out (http_request_failed) If I run curl as a command in ssh works fine. If I run curl as code inside a php file I get the 504 Gateway Timeout. I tried setting the KeepAlive rules bigger than the ELB Idle time with no success. If I clone the ec2 instance and run outside the Load Balancer, curl in php works fine. The load balancer allows ports 80 and 433 and the connected Target group communicates to the instances using port 80. The rest works fine. Kind Regards, D.

We are using RDS PostgreSQL, ElastiCache Redis and EFS as managed services. For each service we have currently our security group allow any IPv4 outbound connections. We want to restrict this. Do we need to add any specific protocols/ports/destinations so that AWS can maintain the managed services, i.e. for performing updates?

Hi, I'm experimenting with a Windows 10 WorkSpace for the first time and need some guidance on how to access an application on my Linux EC2 instance. They are both in the same account and when I created the WorkSpace I selected the default VPC which is also where my EC2 instance is. I have installed a Java application on the Workspace that needs to connect to an application on the Linux EC2 instance but so far I've failed miserably. I've added the WorkSpace IP into the Security Group associated with my EC2 instance but it just can't see it. I've tried both the public and private IP address of the EC2 instance. Any help will be greatly appreciated.

Hi AWS family, I would like my EC2 instance's ports 21, 22, 80, 443, 3306, 8443, 8447 and 8880 to be accessed only from the Cloudflare IP addresses, which can be found at below link. To do this, I need to add the following IP addresses to the security group on separate lines for each port. Due to many ports and IP addresses, I reached the maximum 60 security group rule limit. Is there an easier way I can do this? https://www.cloudflare.com/ips/ Thanks in advance

Can I set a security group for each workspace that is launched? 1 workspace has security group A, and another workspace has security group B.

### Setup I am using AWS Amplify to host my NextJS app. My backend is a headless CMS called Craft CMS (PHP). The NextJS app is using the GraphQL endpoint from Craft CMS for data fetching. The CMS is in EC2 server. It is connected to an Application Load Balancer. ### Requirement I want to be the only one who can access the CMS since I'm the only one using it. So the EC2 security group's source for HTTP and HTTPs is the ELB security group ID. The ELB security group has my IP for the HTTP and HTTPS traffic. This configuration works. I'm the only one who can access the site. ### The issue The problem is that when Amplify tries to build my frontend app, it's always build error. It seems that the Amplify can not reach the GraphQL endpoint when it tries to build the app. ### Action taken I tried adding `AmazonEC2FullAccess` to the Amplify Service role and it didn't work. ### Temporary workaround I turned on the access logs of the CMS and found the AWS IP of the Amplify app. I then added the IP to the ELB security group to allow access. This works but I don't know how often AWS changes the IP address and I know at point some point it'll break down. ### Question How do we allow Amplify to access the GraphQL endpoint for npm builds? Any ideas is greatly appreciated. Thank you.

I'm wanting to send UDP traffic to an EC2 host in the same VPC as an ECS instance and I can only get it to work by testing with allowing all source IPs in the security group for the EC2 instance. With RDS it's always worked fine to use the RDS instance's security group ID as source in the ECS container's security group, but that isn't working here, where I'd use the ECS container's SG as source for the UDP port in the EC2 instance's SG. I tried using something like 172.30.0.0/16 to allow all VPC traffic, but that doesn't work either. Are ECS instances in my VPC? Thanks for any help.

I've set up an App Runner service, which works fine. Currently for networking it's configured as public access, but I'd like to change this to a VPC so that I can connect the service to an RDS instance without having to open the database up to the world. When I change the networking config to use my default security group, the service is unable to access the Internet. Cloning a git repo from Bitbucket brings up the error: ``` ssh: Could not resolve hostname bitbucket.org: Try again ``` ... and trying to run `npm install` brings up: ``` npm ERR! network request to https://registry.npmjs.org/gulp failed, reason: connect ETIMEDOUT 104.16.24.35:443 ``` My security group has an outgoing rule allowing all traffic out to any destination. My RDS instance is in the same VPC/security group and I'm able to connect to this without issue (currently I've opened up port 3306 to the world). Everything else I've read from a bunch of Googling seems fine: route tables, internet gateways, firewall rules, etc. Any help would be much appreciated!

Hi team, I have a private VPC in which I added an endpoint for email service to be able to send emails via Amazon SES but the job that sends the SES email runs forever and doesn't do anything. I opened port 25 in the SG as mentioned here : https://docs.aws.amazon.com/ses/latest/dg/send-email-set-up-vpc-endpoints.html My SDK code (in a glue job) use an API call to the SES send email command to send the email not sure if the email interfaces SMTP endpoint work for SES?

I have been using AWS to host Debian 10 to connect my 3CX accounts for our phone systems. All working fine. All of a sudden, when i go to create a new service on AWS and then connect to it from 3CX via the installer, I get the following message An unknown error occured: User: arn:aws:iam::090946289178:user/ICT is not authorized to perform: servicequotas:GetServiceQuota on resource: arn:aws:servicequotas:ap-southeast-2:090946289178:ec2/L-34B43A08 because no identity-based policy allows the servicequotas:GetServiceQuota action I have tried everything I can think of. Delete the AWS service and install again Create user in IAM Create key pairs add debian subscription. I am following the same path as when I setup the existing system which works fine. I have also tried connecting with my other subscriptions to AWS and get the same message I also created a new AWS account and added a new subscription, IAM and Key pair there and got the same message. 3CX support has no idea what it is. Can anyone shed some light here? David

getting connection time out error ,while connecting EC2 using Putty. already edit Inbound rule under security group as SSH Port 22 source as anywhere , still same error occurs. please guide , as I am new to AWS portal

**Problem statement:** We are migrating some of the on-premise workloads (VMs and DBs) to AWS. AWS network is AD aware but we are using existing on-premise DNS server (instead of Route 53). As part of the migration, we need to build some Firewall polices and Security Group rules for network protection/restriction. I wanted to know if there is any option to use FQDN based rules in AWS network firewall for protocols other than HTTP/HTTPS. This is so that we use FQDN instead of hardcoded IP address of the on-premise servers to avoid any changes in FW policies in future if the on-prem server IPs change. As mentioned above, AWS Network Firewall doesn't seem to support this. Even if it did, I am not sure how AWS Network Firewall can leverage the on-premise DNS server for IP resolution. **Ask:** I wanted to know if there is any alternative solution available for this type of requirement. Basically I am trying to understand the best possible solution which can be built to manage all these different FW rule/network restriction requirements leveraging likes of AWS Network FW (stateless/stateful rules), Security Groups, NACL etc such that the final solution is as per recommended standards. Given this is a very specific requirement please let me know if it is not clear and if you need any further details. Any advise which you can provide would be greatly appreciated.

Currently, we use docker-compose and .ebextensions to update elastic load balancer security group. However now I have requirement to apply different security groups for different environment. How do I add the condition to elbsg.config ? Below is my current elbsg.config ``` option_settings: aws:elb:loadbalancer: ManagedSecurityGroup: "sg-xxxxxx" SecurityGroups: "sg-xxxxx" aws:elbv2:loadbalancer: ManagedSecurityGroup: "sg-x"xxxx SecurityGroups: "sg-xxxxx" ``` Wondering if the normal yaml condition would works or there is a separate syntax for elbsg.config to work ?

I have a CentOS 7 EC2 instance with Apache HTTPD running on port 443. ``` $ netstat -tnlp | grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2533/httpd ``` I cleared all inbound rules for the Security Group and now have just these 3: ``` IPv4 HTTPS TCP 443 <MyIP>/32 IPv4 HTTP TCP 80 <MyIP>/32 IPv4 SSH TCP 22 <MyIP>/32 ``` But not able to connect to the web server on the public IP (Google Chrome browser reports ERR_CONNECTION_TIMED_OUT). It was working previously before I removed some inbound rules and stopped the instance for a few days. ``` $ telnet <public IP> 443 Trying <public IP>... telnet: connect to address <public IP>: No route to host $ telnet <public IP> 80 Trying <public IP>... telnet: connect to address <public IP>: No route to host $ telnet google.com 443 Trying 142.250.188.46... Connected to google.com. Escape character is '^]'. ``` Anything else I can check? Thanks **UPDATE:** I installed VNC server on the instance and connected using VNC viewer. Launched Firefox, opened URL https://localhost and was able to login to the web app. But still can't access using https://<public ip>.

Hi All, I have an EC2 instance in a private subnet, I connect to it using session manager via AWS console. actually, the outbound rule of the security Group of the private EC2 instance is : All traffic / all/ 0.0.0.0/0 when I delete that rule I cannot anymore connect to the EC2 instance : ``` Your session has been terminated for the following reasons: ----------ERROR------- Setting up data channel with id xxxxxxxxx-04retceff7ddr5 failed: failed to create websocket for datachannel with error: CreateDataChannel failed with no output or error: createDataChannel request failed: failed to make http client call: Post "https://ssmmessages.region1.amazonaws.com/v1/data-channel/xxxxxxxxx-04fgffgffdgefbdder": context deadline exceeded (Client.Timeout exceeded while awaiting headers) ``` what is the right outbound SG rule that allows me to connect to my instance via AWS console session manager knowing that I don't have a VPC interface for SSM?

Hello, Is there a way by which we can allow https calls from only aws servers from across another region without VPC peering? I tried using security group. But that will not work. Regards

Hi Team, I am trying to change the CloudFormation stack of Redshift which has security group inbound rule as 0.0.0.0/32 which is a violation of my requirement. Can I programmatically set this to my local IP( same way as we choose source as my IP in AWS console)? If yes, please help me on the steps to do so.

Hello Sir, For a few days I have not been able to SSH with MobaXterm to a Jenkins server I created on my EC2. This has been the same problem I attempt to SSH with GIT as well. The message I get is as shown below. Even after I restart the session I get the same problem. Please could you verify if my AWS account has issues. I changed my computer as well but same problem. I disabled firewall, cleared cache and a few other stuff, yet no solutions. Network error: Connection timed out ──────────────────────────────────────────────────────────────────────────────── Session stopped - Press <return> to exit tab - Press R to restart session - Press S to save terminal output to file I have searched online for resource and have done everything possible but I cannot move forward. I disabled my firewall, cleared my cache, and a lot more but I still cannot connect through SSH. I bought a new computer thinking it would be different but same problem. When I log into the chrome using public IP and port 8080, all I get is "website not reachable" or " Connection time out". Please revert with a response as soon as you have time. Thanks

I am a one-person business looking to set up a simple VPC for access to a virtual Windows desktop when I travel from the US to Europe. My trips are 1-3 months in duration, and I'd like to carry just my iPad or a Chromebook rather than a full laptop. This is easier and more secure if my desktop is in the AWS cloud. I am a bit of a network novice and my prior experience with AWS has been only with S3 buckets. From reading the AWS docs, I have learned how to create a VPC, with subnets and a Simple AD. I can spin up a workspace and access it. However, I am unsure about what additional steps, if any, I should take to *secure* my WorkSpaces environment. I am using public subnets without a NAT Gateway, because I only need one workspace image and would like to avoid paying $35+ per month for the NAT just to address one image. I know that one of the side benefits of using a NAT Gateway is that I get a degree of isolation from the Internet because any images behind a NAT Gateway would not be directly reachable from the Internet. However, in my case, my workspace image has an assigned IP and is *not* behind a NAT Gateway. My questions are: 1. Am I taking unreasonable risks by placing my WorkSpaces in a public subnet, i.e., by not using a NAT Gateway? 2. Should I restrict access using Security Group rules, and if so, how? 3. Are there other steps I should take to improve the security of my VPC? I want to access my WorkSpace using an iPad, so I can't use certificate-based authentication. I don't know if I could easily use IP restriction, because I don't know in advance the IP range I would be in when I travel. PLUS, as you can probably tell, I'm confused about what I need to secure - the workspace image, my Simple Directory instance, or both? I'm having a hard time finding guidance in the AWS documentation, because much of the docs are oriented toward corporate use cases, which is understandable. The "getting started" documentation is excellent but doesn't seem to touch on my questions. Thanks in advance for any answers or documentation sources you provide!

An ec2 t2.micro instance (linux) shows a very abnormal behavior. I have a very light application which usually consumes less than 3% of CPU usage. Suddenly (almost each 4th day) the instance jumps at 100% CPU usage for around 12 hours and then stucks to 10% . When the instance is stuck, I can't even ssh in, the ssh connection just times out. Ine the image below the behavior is shown. After I stop & start the instance again, everything works again. Some other details: - the instance has a security group that only allows my ip address to connect via ssh. - The app runs in a docker container and it barely receives traffic. Any ideas would be highly appreciated :) https://imgur.com/a/j5BOf61

i.e. say I want to prevent 0.0.0.0/0 or some arbitrary IP from ever being applied as a security group rule, is it possible to do this from a an organization/account wide control approach?

Hello. I have a PHP script which downloads some files from my EC2 instance using cURL. I connect to a remote FTPS server on port 990 and range port 50000-50010 is also used to download the files. When I run the script in local or in my Plesk production server, the script runs without problems but from EC2 I only get the message "*Failed to connect to aaa.bbb.ccc port 990: Connection refused*". I checked inbound and outbound rules for the security group, created new rules, allowed all traffic, tested different combinations, etc. I even created a new security group exclusively with rules for allowing inbound and outbound traffic, but it's not working. I don't know if besides the security group rules there is something else that I have to configure. I don't know what else can I check. Normally, when I wanted to access through SSH to my EC2 instance I only have to configure the inbound rule with my IP and that all, but with this I'm a bit lost. Thanks in advance for your help!

Getting Connection refused by public ip address, although image pulled from ECR running appropriately in pod container. Security Group >>Inbound Group >>Type: HTTP, SSH, TCP, Port: 80, 22, 0-65535 all allowed for IPv4, even assigned Elastic IP to NAT Gateway which is allowing Public Ip through Internet Gateway

Hi, I am currently trying to set up an ec2 instance with Application load Balancer however I'm getting a 504 gateway time-out error. I have enabled apache keep alive settings with a greater number than the timeout setting of the ALB, just as indicated from AWS Doc. However the issue is persistent. I have checked that I'm using the same Security group which I am. The Listeners in my ALB are set to only the HTTPS and forwarded to my target group.When i visit the target group the health status details says " health checks failed ". What else can I check please ?

Can an existing SG be deployed using SSM Powershell to all EC2 instances? If it is possible, then would like to then remove the same group after done using it. I found little information on how to accomplish this.

This is a rather odd issue, and I couldn't find anything on it. I've assigned my Windows t2.micro instance a Security Group, and a VPC. I've made two rules, using the presets for RDP and SSH respectively. I can ping the instance's IP on the RDP port (3389) just fine, and can connect. But pinging on the SSH port (22) always fails, even if I create a new rule that accepts all traffic from all sources. Custom defined ports, such as 27015, also has the same issue as port 22. Editing the rules makes no difference, neither does changing the Security Group for my instance. Any idea what is going on here? It is very odd that RDP works fine, but nothing else does.

Hello I'm using kops and trying to delete a cluster but whenever I try it returns: > subnet:subnet-08ce41d54ac8013bb still has dependencies, will retry security-group:sg-058dc5e078d91f60e still has dependencies, will retry I try to delete security group and subnet manually from aws console and with aws cli but when I try to delete the security group it returns that it has associated a network interface and when I try to delete the network interface it returns that is in use despite there is no instance using it. The network interface Id is the next: **eni-0de17b728039af773**. Hopefully you can help me.

Hi all, Is it possible to call a glue job/ or python script from within another glue job without passing by **glue endpoint** and adding a new rule in SG? the following code uses glue endpoint and doesn't work without adding extra rules in the Security Group : ``` client = boto3.client('glue', 'AWS_REGION') client.start_job_run(JobName='test_call_script') ``` I want to call an extra script that sends an email from within my original glue job without the need to use SES or glue VPC endpoints or opening new rules in the SG. just call another glue script that can send an email out of the box

So, this has been keeping me busy for the past couple of days. Started when I was troubleshooting the Paypal integration -- which is used only a couple of times a year when registration opens for an event. It worked fine in October, but suddenly it stopped working. I quickly figured out that the reason was that I couldn't connect to Paypal via port 443. Upon further testing, I discovered I couldn't connect to *anything* on port 80 or 443. Outbound SSH, FTP, and SMTP work fine from this instance. I checked the ACLs for the VCP, which are allow any/any. I checked my security group, which is also set to outbound any/any. As a note, *inbound* HTTP and HTTPS both work just fine -- the website is still up. Just that when I try to connect to anything else, even as root, it fails. I have checked the configuration of the server, and there's nothing in iptables, and the Ubuntu firewall is disabled. The server can connect to its own internal IP on port 80, but not its external IP. I have another instance running, and on that instance I can connect to its internal IP on port 80, but not its external IP. Reassociating the server with a different elastic IP gives the same behavior. The other server can reach the Internet just fine on ports 80/443. Things I have tried: 1. tcptraceroute fails immediately on the first hop. 2. All other ports that I have tried work fine. Just 80 and 443 seem to be affected. 3. The behavior started sometime in the last 3 months. 4. tcpdump sees the SYN packets going outbound and supposedly leaving the interface. So far, the only things I can think of that are consistent with the behavior: 1. The server has been compromised, or something got installed that is trying to capture/redirect all 80/443 traffic, but I can't think of anything or think where it would be. It would have to be intercepted at the kernel level for tcpdump to see the SYN packets and think they are going out of eth0. I'm not sure how to prove a negative here. I may try creating a new instance using this server's volume and see what happens there. 2. Something associated with this particular instance is blocking outbound traffic, possibly upstream of us. Does anyone know of any settings I haven't mentioned that would relate to this? Any ideas are appreciated!

I recently added a new IP address to my security group to allow that IP address to access a EC2 instance within the group. After 24 hours, that new IP address is still not able to access the EC2 instance. Any help/advice would be appreciated.

We have a setup where there may be multiple Security Groups in different VPCs, Regions, or Accounts that we have to put in the same IP information. For example, AWS Admin "Joe" has IP of 123.123.10.10, and we have to enter this in seven different Security Groups. My question is this, are there any thoughts of improving this in the future by centralizing it somewhat? So in this example, there would be a "Central Admin" group/file/config setting somewhere that we enter "Joe" and "123.123.10.10" once, and in all the seven different security groups, we just put in the reference "Joe". That way, if Joe's IP changes, you just have to change it in one place. Just thought this might be a good enhancement, simpler management of this type of thing...any thoughts/plans/critiques? Thanks, --Jim

Hi all, I have an IPv6 capable (t2.small) test server running Ubuntu 16.04.1 set up in the eu-west-1 area. The VPC has an IPv6 allocation, and subnets have IPv6 /64s, too. The NAT Internet Gateway is set up as well an an IPv6 Egress Internet Gateway, both set up in the main route table for the 0.0.0.0/0 and ::/0 prefixes, respectively. The network ACLs associated with the subnets allow for both incoming and outgoing traffic from and to ::/0. Similarly, the Security Group associated with the instance permits incoming traffic from ::/0 to tcp:80, tcp:443 and any incoming IPv6 ICMP traffic from ::/0. The network interface attached to the VM has an permanently assigned IPv6 (2a05:d018:n:n::23) address. From the running instance, I can see via tcpdump that IPv6 traffic is flowing neatly, e.g. ``` 10:56:42.285595 IP6 2a05:d018:n:n::23.123 > 2001:67c:1560:8003::c7.123: NTPv4, Client, length 48 10:56:42.296728 IP6 2001:67c:1560:8003::c7.123 > 2a05:d018:n:n::23.123: NTPv4, Server, length 48 ``` However, trying to access the server by its IPv6 address from the Internet - either by means of pinging through a looking glass such as <https://www.sprint.net/lg/lg_start.php> or by trying to access the website from home (with long-time working, afaik filterless IPv6 connectivity) fails. A tracepath6 breaks off some perceived hops before the machine: ``` 9: 2600:9000:eee::1c7 40.986ms asymm 18 10: 2a01:578:0:10::c 40.118ms asymm 17 11: no reply 12: 2a01:578::1 40.245ms asymm 14 13: no reply 14: 2a01:578::13 41.313ms 15: 2a01:578:0:10::8 41.910ms asymm 12 ``` and both ping and http requests do not even show up in the VM's tcpdump. I'm currently stuck in seeing which option I may have missed, or what causes the connectivity to fail. Any eye-opening assistance would be appreciated. Best regards Dominik