0

I want to allow/disallow only certain application protocols like HTTP, mongodb, ampq, etc on my running EC2 instance.
I could see that in we can change inbound and outbound rules from security groups. However, it could only open or close TCP ports(Transport layer protocol), but not restrict an application layer protocol. I seek help for 2 things :

  1. Understand if on cloud you can actually allow/restrict application
    protocols by security groups. Or is this something I should take care with my app itself?
  2. Say I have some mongodb instance running on my EC2. Would restricting inbound mongodb:// protocol actually make my mongodb and EC2 more secure?
Suraj Khurana
  • 11
  • 4

1 Answers1

0

The short answer for 1 is that this is something you should take care of in your app layer.

From: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

If you have requirements that aren't met by security groups, you can maintain your own firewall on any of your instances in addition to using security groups.

The AWS Console for Security Groups provides some help with defining the TCP rule that corresponds with the Application layer. E.g. selecting HTTP will pre-populate TCP over port 80. However, it does not provide application protocol checking.

Re: 2. Perhaps that should be separated into its own question.

JimmyL
  • 383
  • 3
  • 10