Questions tagged with Security Group

I have this problem: Failed to stabilize Instance with id. My CF looks like: Resources: DocumentDBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: 'DocumentDB SG' GroupDescription: !Sub 'Security Group for the DocumentDb' VpcId: !Ref VPC DocumentDBSubnetGroup: Type: AWS::DocDB::DBSubnetGroup Properties: DBSubnetGroupDescription: "Subnet group for Document DB cluster" DBSubnetGroupName: "document-db-subnet-group" SubnetIds: !Ref PrivateSubnetIds DocumentDBParameterGroup: Type: AWS::DocDB::DBClusterParameterGroup Properties: Description: "Parameter group for Document DB cluster" Family: docdb4.0 Name: "document-db-paramater-group" Parameters: audit_logs: "disabled" DocumentDBCluster: Type: AWS::DocDB::DBCluster Properties: BackupRetentionPeriod: 7 DBClusterIdentifier: "docdb" DBSubnetGroupName: !Ref DocumentDBSubnetGroup DBClusterParameterGroupName: !Ref DocumentDBParameterGroup Port: 27017 PreferredBackupWindow: "07:00-09:30" PreferredMaintenanceWindow: "tue:07:00-tue:11:00" VpcSecurityGroupIds: - !Ref DocumentDBSecurityGroup StorageEncrypted: true DocumentDBInstance: Type: AWS::DocDB::DBInstance DependsOn: - DocumentDBCluster Properties: DBClusterIdentifier: !Ref DocumentDBCluster DBInstanceClass: db.t3.medium DBInstanceIdentifier: "docdb" PreferredMaintenanceWindow: "tue:07:00-tue:11:00" If i search this problem i find information about RDS (snapshot), but i don't use snapshot in this deployment..lg...

We need to establish a "Web socket connection" to our AWS servers using Django, Django channels, Redis, and Daphne Nginx Config. Currently local and on-premises config is configured properly and needs help in configuring the same communication with the staging server. We tried adding the above config to our servers but got an error of access denied with response code 403 from the server for web socket request. below is the **Nginx config** for staging ``` server { listen 80; server_name domain_name.com domain_name_2.com; root /var/www/services/project_name_frontend/; index index.html; location ~ ^/api/ { rewrite ^/api/(.*) /$1 break; proxy_pass http://unix:/var/www/services/enerlly_backend/backend/backend.sock; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_read_timeout 30; proxy_connect_timeout 30; proxy_send_timeout 30; send_timeout 30; proxy_redirect ~^/(.*) $scheme://$host/api/$1; } location /ws { try_files $uri @proxy_to_ws; } location @proxy_to_ws { proxy_pass http://127.0.0.1:8001; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; } location ~ ^/admin/ { proxy_pass http://unix:/var/www/services/project_name_backend/backend/backend.sock; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_read_timeout 30; proxy_connect_timeout 30; proxy_send_timeout 30; send_timeout 30; proxy_redirect off; } location /staticfiles/ { alias /var/www/services/project_name_backend/backend/staticfiles/; } location /mediafiles/ { alias /var/www/services/project_name_backend/backend/mediafiles/; } location / { try_files $uri /index.html; } } ``` and **Systemctl service** to execute Django Daphne service ``` [Unit] Description=Backend Project Django WebSocket daemon After=network.target [Service] User=root Group=www-data WorkingDirectory=/var/www/services/project_name_backend ExecStart=/home/ubuntu/project_python_venv/bin/python /home/ubuntu/project_python_venv/bin/daphne -b 0.0.0.0 -p 8001 project_name_backend.prod_asgi:application [Install] WantedBy=multi-user.target ``` **Below is the Load Balancer security group config inbound rules**  **Listner Config for Load Balancer**  lg...

I required to give internet access for EC2 instance only a list of websites, in Outbound security group I only have provision enter the IP address. Is there any other alternative way to restrict permission/access based on DNS. Further, I have tried to find out the IP addresses of the websites allowed in Outbound security group some does work others doesn't. Thanks in Advance.lg...

The issue is our accounts are in control tower environment and in control tower there are no options to add config rules other than Predefined ones, in those predefined ones there is non for security groups. How can we enable more config rules at organization level e.g. *security group verification rule.* I have the option to enable this at per account level but not at aggregator level, but there are hundreds of account and it is not feasible to have this one by one for each account.lg...

Hi team, we want to do some audits on all our projects using AWS accounts, Are there any first items to start checking or any specific checklist to go over when doing the audit to make sure that best practices and security are implemented? Thank you!lg...

Hi guys, I'm trying to copy data from efs that is in us-east-1 to a s3 in us-east-1, so I created a new datasync to do the job. The mount target is the ip address of the EFS filesystem and it's complaining about security group issue. Here is the error: Task failed to access location loc-0426eaa718cb13c76: x40016: Failed to connect to EFS mount target with IP: 10.107.196.128. Please ensure that mount target's security group allows 2049 ingress from the DataSync security group or hosts within the mount target's subnet. The DataSync security group should also allow all egress to the EFS mount target and its security group. I am having hard time deciphering the 2 statements. 1) Please ensure that mount target's security group allows 2049 ingress from the DataSync security group or hosts within the mount target's subnet. Is the mount target the EFS or the EC2 instance that EFS is mounted on? If I am not mistaken, EFS do not have security groups but the EC2 instance does, so is the 1st statement asking me to ensure that EC2 instance security group allow 2049 in bound from DataSync security group? 2) The DataSync security group should also allow all egress to the EFS mount target and its security group. after creating DataSync security group, do I add this new group to the EC2 instance that EFS is mounted to? Thank you.lg...

I created an Elastic Beanstalk env yesterday through the AWS console and noticed there was a new option to omit the default EC2 security group. I set that option when creating the environment and now I can't seem to access that environment in the AWS console. The error I see on the console page is as follows: ``` A problem occurred while loading your page: Configuration validation exception: Invalid option specification (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'OmitDefaultEC2SecurityGroup'): Unknown configuration setting. ``` Not sure how I can access the environment thru the console. Any helpful insights?lg...

Hi, we would like to know is there any way to find out if the security group is in use or not or in short to which resource this security group is associated.we did tried to find out for example using aws ec2 describe-network-interfaces --filters Name=group-id,Values=<group-id> but this does not help us much. Thanks Diliplg...

I have set up VPC Peering between my AWS VPC and Atlas cluster. My problem is that when I go to change my “IP access list” to remove the “0.0.0.0/0” IP, I am no longer able to connect to the cluster. I have included the VPC’s CIDR block in the allowed IPs and have also tried adding the Security group ID that is associated with the VPC. On the AWS side, I have a lambda that is being triggered and which then communicates with Mongo. The VPC that the lambda sits within, has no “internet gateway” so as I understand it, it should not be able to connect to the open internet. The VPC’s Route table diverts all traffic (from the lambda) to the peering connection (which connects Atlas to my VPC). From my setup, it seems that no traffic should be leaving my AWS VPC from any other IP address than the ones included in my VPC CIDR block. So why is it that removing the “0.0.0.0/0” IP from the list of allowed IP’s on mongo stops me from being able to connect?lg...

We are having multiple apps which are more or less using the same incoming traffic rules. For half of the apps we are in a condition where we frequently need to change the outgress IPs for a port. That requires us to rerun the Cloudformation stack everytime it changes. Is it a good idea to have a single Security group for all apps which we map on all app Cloudformation stacks to reduce efforts. I also have security considerations and best practices rule in my mind, I just wanted to have wise opinions.lg...

Unable to connect the instance after restarting the server by using the command ***sudo systemctl reboot***. When I'm trying to login into the instance using EC2 Instance Connect it is failing to make the connection to the instance and throwing an error ``` We were unable to connect to your instance. Make sure that your instance network settings are configured correctly for EC2 Instance Connect. For more information, check Task 1 under the Setup EC2 Instance Connect AWS documentation. ``` After following the [doc](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html#ec2-instance-connect-setup-security-group) I have added an Inbound rule that allows inbound SSH traffic on port 22 from your IP address to the security group attached to my instance. But still, it shows the same error and also fails the Instance reachability check. Any help in guiding me that how can I make a connection to my instance will be much appreciated. Thankslg...

Hi, I have just moved from GCP to AWS to test out CodePipeline / CodeDeploy / and S3. I was following this documentation: "Tutorial: Create a simple pipeline (S3 bucket)" and I have encountered some issues with this step [1]. Apparently de pipeline I have created failed because it coudn't access my EC2 instance. Taking the above information into consideration, I deleted the pipeline to start fresh and I explored the EC2 service more. To sum up, I have observed that when I configure the securitygroup to use my IP instead of allow all, or if I try to use any custom rule, any attempt to access that instance will fail, SSH, ping. anything. I tried to add the same rules to Network ACLs and also I have created a Internet Gateway but nothing changed. ***Key Information:*** * **EC2 instance:** second VM test * **Zone:** eu-west-3c * **Security Group Name:** launch-wizard-2 ---------- [1]: Step where issue was encountered https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-simple-s3.html#:~:text=Under%20Network%20settings%2C%20do%20the%20following.lg...