-1

AWS security groups can protect EC2 from outside AWS. how about from other instances inside AWS network?

Can they protect EC2 from being attacked by other instances inside AWS?

------------------------
| AWS                  |
|     EC2-1   EC2-2    |   ------ outside
------------------------

For example, port 8080 is open in EC2-1.

eastwater
  • 4,624
  • 9
  • 49
  • 118
  • 1
    You're asking if you can protect from your own instances? – Anon Coward Jul 02 '23 at 22:46
  • yes. its security group is set up for 8080 allowed only from my own ip address. It works from outside AWS. How about from inside AWS? The security group is virtual, not set up on the EC2 instance. – eastwater Jul 02 '23 at 23:00
  • If you want to block two instances from talking to each other, put them on different VPCs with different security groups to prevent them to talk to each other. – Anon Coward Jul 02 '23 at 23:08
  • Trying to block accesses from other instances inside AWS, not my own instances. If I set up firewall on my instance, it will do. Not sure about AWS security groups. – eastwater Jul 02 '23 at 23:56
  • 2
    Security groups apply to all traffic, including from other instances. If your only allow rule is from a specific IP, that's the only IP that can access. – jordanm Jul 02 '23 at 23:59
  • 1
    Other instances in AWS necessarily run on other VPC, they cannot access your instance through any means other than whatever it makes public. – Anon Coward Jul 03 '23 at 00:13

1 Answers1

0

By default, resources including Amazon EC2 instances cannot communicate with each other. (Although, the management console will offer some standard security groups that do permit this communication, but it is your choice to accept it.)

If you want to permit inbound communication to/from resources, you must configure Security Groups.

Security Groups have two sets of rules:

  • Inbound rules, where communications are initiated from outside of the resource, and
  • Outbound rules, where communication is initiated from the resource to something outside of the resource

Note that these rules apply to any traffic in/out of the resource, not just traffic to/from the Internet.

If two Amazon EC2 instances are in the same VPC, they can only communicate with each other if there are:

  • Outbound rules that permit the traffic, and
  • Inbound rules that permit the traffic

For example, if Instance-A wants to communicate with Instance-B, then:

  • Instance-A requires an Outbound rule that permits traffic to go to Instance-A, and
  • Instance-B requires an Inbound rule that permits traffic from Instance-A to be received by Instance-B

Some people think that if multiple instances are "in the same Security Group" then they can communicate with each other. However, this is not true. Resources are not "in" security groups. Rather, each Security Group applies to each instance individually. If two instances have been assigned the same security group, then they can only communicate if the security group permits outbound connections to itself and also permits inbound connections to itself.

To answer your question "Can they protect EC2 from being attacked by other instances inside AWS?", the answer is YES. That is exactly what they do. They go further than preventing "being attacked". They actually block all traffic unless it is specifically allowed, whether or not that traffic is an 'attack'.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470