- 最新
- 投票最多
- 评论最多
I prefer to use Security Groups to protect EC2 from external communication.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
I can't find the documentation, but EC2 stats checks should work fine even if all packets are droped using iptables. However, I don't know about other services.
Hi, I agree with Shibata that sec groups should be used as much as possible because it brings many advantages. But, I also agree on the fact that iptables cannot be fully fully replicated with sec group for sophisticated rules. So, I'd suggest to do as much as possible with sec group and complements with iptables
Hi Shibata. Thanks for your reply!
Security Groups is not a bad option, but it can't replace IPTABLES in full. It's only possible to create complex rules (using states and expressions) with IPTABLES.
It's not clear to me whether IPTABLES rules prevent any AWS functionaly to work
Definitely! Security Groups don not replace iptables.
Therefor, to know if the unknown communication is from an AWS service, you must check the iptables logs individually. For example if it is a Global IP, you can see which service it is by looking at ip-ranges.json.
https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html#aws-ip-download
So far, I think I should combine both IPTABLES and Security Groups.
For example, on Security Groups I would allow traffic on 22 and 3306 ports. On IPTABLES I would allow all traffic, but drop those with bad flags.
In other words, on Security Groups I could configure what is allowed and on IPTABLES I could configure how its allowed
相关内容
AWS 官方已更新 2 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
Shibata/Didier. Thanks for you replies
It's clear for me now. Thanks!
All thouse unexpected traffic I questioned earlier were generated by "EC2 Instance Connect" and instance metadata endpoint.
Another question: does Security Groups process its filtering at instance level? Does Security consume ane instance resource ?