CentOS, Chrony, and AWS Ports

Question

I'm wondering how to properly configure AWS security to allow chrony to sync system time on a CentOS 7 instance.

I was running an earlier version of CentOS 7, which used chrony 1.29.1, and it worked with the below settings.

Instance Security Group: Outgoing UDP on port 123

Network ACL: Incoming UDP on port 123, and outgoing UDP on port 123.

However, when running yum update, or launching a new instance with the latest CentOS 7 release, which includes chrony 2.1.1, I can only get it to sync with the below configuration.

Instance Security Group: Outgoing UDP on port 123

Network ACL: Incoming UDP on all ports, and outgoing UDP on port 123.

What's going on here? Do I really need to allow incoming UDP on all ports for the network ACL now? Is this safe? I'm going to assume yes, because my security group doesn't allow incoming UDP traffic unless it previously established an outgoing connection, right?

Thanks.

Answer 1

No, because acquisitionport can be configured.

Even if the software didn't allow for such convenience, and a firewall didn't allow the return traffic of a flow, you still could open just a ephemeral port range and keep well known services closed.

Answer 2

Its quite old post but I put up-to date info here.

Since Nov 2017 Amazon introduced 'Amazon Time Sync Service'.

The Amazon Time Sync Service is available through NTP at the 169.254.169.123 IP address for any instance running in a VPC. Your instance does not require access to the internet, and you do not have to configure your security group rules or your network ACL rules to allow access.

So if your instance is running inside VPC you don't need to configure ACL and Security Groups for access to NTP server, just use 169.254.169.123 IP as NTP server.

More details how to configure NTP client(chrony) which uses Amazon Time Sync Service can be found here.