Amazon describes a security group as, “A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance.” In this demo, AWS expert Mike Wise will walk through how to modify default security group rules in order to restrict inbound traffic. You’ll learn how to filter traffic based on protocols or port ranges and how this will impact your inbound traffic. 

For a visual guide on how to edit inbound rules for default security groups, watch the full demo. 

Hello everyone! Welcome to today’s demo. Today, we’re going to talk about default security groups that are deployed for your VPC. Every time you create a VPC, it automatically comes with a default security group. If you don’t specify a different security group when you launch an instance, the instance associates with that default security group. As you can understand from that kind of methodology, it’s really important that we audit our security groups to make sure that they are appropriately secured in our environment. 

To do this, we’re going to log into the AWS Management Console and we’re going to go take a look at the default security groups that are created for an example VPC. When you log in, click on “EC2” then you’re going to go to “Security Groups.” As you can see here, I have a couple of different VPCs created and each VPC has a default security group created. An important thing to note is that you can’t delete the default security groups. Amazon will block the deletion of that group, but you can modify them. 

So, we’re going to go take a look at a default security group and see what rules are created when they’re initially set up. As you can see, this default security group has this specific rule set on the inbound side: all traffic on all protocols for all port ranges for the source of this security group. What does that mean? This means it allows all inbound traffic from network interfaces and their associated Instances that are assigned to the same security group. So basically, anything that has this associated security group attached, it’s going to allow all traffic from there. As you can probably surmise, this can potentially lead to a problem. We want to be sure that we edit the security group rules to appropriately restrict traffic so that if, but unintended consequence, someone launches an instance and it gets attached to the default security group, it still has some appropriate security group rules in there. So how do we do that? You could do it one of two ways. You could create a TCP rule and then specify what that security group rule is going to do. Let’s select “Custom TCP” and the only thing it’s going to allow is port 80, but it’s only going to allow port 80 for traffic from this particular security group. Whatever the case may be, you can create custom rule sets for the security groups so that only those specific rule sets are in place. You don’t want to leave the default-all in there because that is a little bit overly permissive for the security group. We want to make sure that any instances that are attached to the security group are appropriately secured if they do get deployed in the security group. Thank you for viewing this demo and have a great day!