0

I have an ec2 instance where I have installed mysql. The server listens to connections from any ip (bind-address = 0.0.0.0).

I have set up the mysql security group in such a way that only my webapp instances can connect remotely to the mysql db. For this I added a webapp-sg security group to my instance (webapp-sg restricts to http, https and ssh) Then for my mysql instance, I simply used the webapp-sg group as the "source". I have verified that 1. I can not remotely log in from outside ec2 instances 2. Within ec2 instance, I have to be on an ec2-instance that has the security group =webapp-sg

However, traffic between the webapp instance and mysql db would still be in clear text. What are the implications? (I see many articles that recommend the above set up). Do people use "Mysql over ssl" for this - I suspect that would have performance implications? Or does aws vpc resolve this?

serverman
  • 1,314
  • 5
  • 22
  • 39

1 Answers1

3

Short answer: this is the recommended way to operate. Go for it.

Longer: It depends. Depends on the level of the security your app requires, and amount of work, complexity, availability and maintenance you are willing to spend. While theoretically it is advised that any inter-machine traffic should be encrypted, especially on a multi-tenant environment like public clouds - AWS has spent a lot of effort to make their basic security groups offering a solid one. see 'Network Security' chapter

That, would make both eavesdropping or packet-spoofing very unlikely. If you'll be realistic, there is a greater chance (by orders of magnitude) that hackers could use your web app bugs and vulnerabilities as the primary attack vector.

Also probable, is a the chance of security groups misconfiguration. Dedicated services like Dome9 and Newvem might assist in getting insights and in managing you security configurations. (disclosure - I'm Dome9 co-founder)

Last, VPC. While not architectually much different from EC2, it is recommended since it brings more configuration power, and a 2nd method to enforce your policy (Network ACLs). This might introduce some complexity and more maintenance, but can reduce misconfiguration effects.

Froyke
  • 1,115
  • 7
  • 13
  • Thank you, Froyke! In that case, the elb configuration can also use http within the instances, correct? Meaning internet -> elb must use https, of course, but elb to aws instances traffic can safely use http for the same reasons as above assuming security groups are set up in a way that the web apps can only get traffic from the aws load balancer security group. Is my thinking correct? – serverman Dec 02 '12 at 16:46
  • Serverman, there is security practice regarding encrypted /decrypted values separation. Also, with EC2 ELB it seems (to me) like security was an afterthought (security groups were only added after it was announced and the connection between your security groups and the AWS controlled ELB security group feels like a hack [as opposed to VPC ELB SG]). Since AWS has spend their resources on making it feasible and accessible you can consider giving it a try - since it does not add too much complexity to your setup. (assuming you have some sensitive data). – Froyke Dec 03 '12 at 11:31
  • Hi Froyke Thanks! I have settled on the following for now: Browser -> ELB (https), ELB-> backend(straight passthrough of https - no certificate management at the ELB). For the mysql db data, I would go with the sg based setup mentioned in the question. Later, I would beef this one up with VPC. – serverman Dec 05 '12 at 18:55
  • Just pay attention to the certificate distribution/installation procedures. That process is greatly simplified by using ELB SSL termination... – Froyke Dec 06 '12 at 11:41