A better way to use security groups to limit access between your EC2 instances in AWS

I have seen many people use security groups in AWS to limit which of their servers can connect to others; for example, a Redis server might have port 6379 opened up to the internal network of 10.0.0.0/24, meaning other EC2 instances with an address between 10.0.0.1 and 10.0.0.254 can connect to it. But this means that if an attacker gets access to any EC2 instance in the 10.0.0.0/24 network, the Redis server will be compromised. We can do better by having an even more fine-grained configuration that limits access to the Redis server to exactly those instances that need it.

Let's say Redis lives on an instance with address 10.0.0.8, and we have application servers with addresses 10.0.0.53 and 10.0.0.54 . We can assign a security group to the Redis instance that only allows 10.0.0.53 and 10.0.0.54 to access port 6379 (see below illustration).

security-group-1.jpeg

But what if these are part of an auto-scaling group, and suddenly we get another instance of our application server added automatically because of increased load? It would not be feasible to have to and manually administer the IP addresses that are allowed to access the Redis server.

Instead, AWS has a set of features that give us this fine-grained control of our firewall.

First, instead of limiting access to certain IPs, our Redis instance's security group gives access on port 6379 to another security group. In this case, 'redis-server-prod' is the security group on the Redis instance, and it allows all other instances that have security group 'redis-client-prod' attached to them to access port 6379. The 'redis-client-prod' security group must be created first (it can be empty), and after that the rule can be added to the 'redis-server-prod' security group as below:

security-group-2-edited.jpeg

Next, we assign 'redis-client-prod' to all instances that need to connect to the Redis server. For auto-scaling, this is done by telling the auto-scaling group to add the 'redis-client-prod' security group to all new instances that are spawned by it.

If we follow this strategy, we no longer have to worry about manually managing any IPs in our Redis firewall.