55

What happens when I assign multiple security groups to an instance? Is it permissive in the sense that the traffic is allowed in if any one of the security groups allows it. OR is it restrictive in the sense that every security group must allow the traffic in for it to be passed in?

For example, lets say I have a class of instances that will only ever talk to other instances in the same account. I also have a class of instances that will only accept traffic via HTTP (port 80).

Is it possible to restrict access to internal instances and only via HTTP by creating and applying two security groups:

  1. An "internal" security group. Allow all traffic in from other members of that security group on all ports for all transports (TCP, UDP, ICMP)
  2. Create an "http" security group. Allow all traffic into port 80 via TCP from any source.

OR am I forced to create a single security group that allows traffic from port 80 where the source is itself?

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Suraj
  • 785
  • 1
  • 5
  • 12

4 Answers4

53

Permissive.

According to AWS here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html

If there is more than one rule for a specific port, we apply the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1 and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22.

N R
  • 103
  • 4
euphoria83
  • 810
  • 2
  • 7
  • 11
12

If an instance has multiple security groups, it has the sum of all rules in the various groups.

For example, lets say I have a class of instances that will only ever talk to other instances in the same account. I also have a class of instances that will only accept traffic via http (port 80).

This is a perfect situation for AWS Virtual Private Cloud. Put the internal instances in private subnets, and the public-facing instances in public subnets.

ceejayoz
  • 32,910
  • 7
  • 82
  • 106
  • 1
    ceejayoz - So it's the "restrictive" case? Meaning the two security group solution would work? Agreed about VPC solution; my example was more to understand how multiple groups work. Where did you find the answer by the way? – Suraj Mar 01 '13 at 22:08
  • You'd want one security group for internal instances, and another for the public-facing instances. Adding the public-facing 80:0.0.0.0/0 group to internal instances would make them available to the public internet. – ceejayoz Mar 01 '13 at 22:15
  • 2
    Just to be super clear, you are saying that traffic is let in if any of the individual security groups allows it? I'm being thrown off by your comment about the "sum of all rules" because when I think of sum I think AND instead of OR. – Suraj Mar 01 '13 at 22:58
  • 4
    Yes, if any of the groups applied to an instance allows it, it's allowed. Group rules are ORed together, not ANDed. – ceejayoz Mar 02 '13 at 20:57
  • 14
    why can't people just answer the question asked instead of inserting their idea of what should be done. If you're going to do that at least properly answer the question first. Jeez – Bill Rosmus Jun 26 '13 at 17:35
  • 1
    @BillR Huh? I answered the question, the original poster had a few follow-up questions, and wound up accepting the answer. What are you whining about? – ceejayoz Jun 26 '13 at 17:40
6

Here's the response from AWS documentation support. They said they would update the documentation:

I found a couple of discussion forum posts that address similar issues with conflicting rules within one or more security groups:

https://forums.aws.amazon.com/thread.jspa?messageID=221768

https://forums.aws.amazon.com/thread.jspa?messageID=349244&#349244

When multiple security groups are applied to an instance, the rules are aggregated to create one large set of rules. In EC2, security group rules are only permissive, in other words, you cannot add any DENY rules. What this means is that the most permissive rule will always apply. For example, if you have a security group that allows access to port 22 from IP address 10.10.10.10, and another security group that allows access to port 22 from everyone, everyone will have access to port 22 on the instance.

Suraj
  • 785
  • 1
  • 5
  • 12
0

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses). For more information about IP addresses, see Amazon EC2 Instance IP Addressing. If your security group rule references a security group in a peer VPC, and the referenced security group or VPC peering connection is deleted, the rule is marked as stale. For more information, see Working with Stale Security Group Rules in the Amazon VPC Peering Guide.

If there is more than one rule for a specific port, we apply the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1 and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22.

When you associate multiple security groups with an instance, the rules from each security group are effectively aggregated to create one set of rules. We use this set of rules to determine whether to allow access.

Caution Because you can assign multiple security groups to an instance, an instance can have hundreds of rules that apply. This might cause problems when you access the instance. Therefore, we recommend that you condense your rules as much as possible.

user377934
  • 1