AWS Security Blog

Use AWS Firewall Manager and VPC security groups to protect your applications hosted on EC2 instances

June 21, 2024: This blog was updated to reflect new service features and console changes, and to add additional resources.

You can use AWS Firewall Manager to centrally configure and manage Amazon Virtual Private Cloud (Amazon VPC) security groups across all your AWS accounts. This post will take you through the step-by-step instructions to apply common security group rules, audit your security groups, and detect unused and redundant rules in your security groups across your AWS environment.

In this post, I’ll show you how to create and enforce a primary set of security group rules by using a common security group policy, while still allowing developers to deploy and manage application-specific security group rules. In the example below, the security group rules you’ll create will allow SSH access only from the public IP address of the bastion host, and set a policy that prohibits any security group rules that allow SSH access from everywhere (port 22).

When you use Firewall Manager to centrally apply a common security group policy, you can do things such as make sure that all Application Load Balancers only talk to Amazon CloudFront, or the Secure Shell (SSH) protocol is only allowed from specific IP ranges, or to give system administrators access to a central database.

In many organizations, developers write their own security group rules for their applications. However, if you’re a security administrator, you will want to audit the security group rules so you’ll know when a security group is misconfigured. Using a content audit security group policy, you can set guardrails on which security group rules can or cannot be created across your organization. For example, you could only allow security group rules on ports 10-1000, or specify that you do not allow security group rules on port 23.

As an administrator, you also want to simplify operations by detecting unused and redundant security groups across AWS accounts. You can use a usage audit policy to help identify unused and redundant security groups.

If you haven’t used these services before, here’s a quick overview:

  1. AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations by using AWS Config in the background. Using AWS Firewall Manager, you can quickly roll out AWS WAF rules, create AWS Shield Advanced protections, and enable security groups for your Amazon Elastic Compute Cloud (Amazon EC2) and elastic network interface resource types in Amazon VPCs.
  2. VPC security groups act as a virtual, stateful firewall for your Amazon Elastic Compute Cloud (Amazon EC2) instance to control inbound and outbound traffic. You can specify separate rules for inbound and outbound traffic, and instances associated with a security group can’t talk to each other unless you add rules allowing it.

After you put the primary set of security group rules in place, you’ll get notification of the noncompliant changes made by the developers. You can take remediation action if necessary by using an audit security group policy. In this post, you’ll also set up a usage security group policy, so that you can flag unused security groups and merge redundant security groups for simpler administration.

Prerequisites

AWS Firewall Manager has the following prerequisites:

  • AWS Organizations: Your organization must be using AWS Organizations to manage your accounts, and All Features must be enabled. For more information, see Creating an Organization and Enabling All Features in Your Organization.
  • An administrator AWS Account: You must designate one of the AWS accounts in your organization as the administrator for Firewall Manager. This gives the account permission to deploy AWS WAF rules across the organization.
  • AWS Config: You must enable AWS Config for all of the accounts in your organization, so that AWS Firewall Manager can detect newly created resources. To enable AWS Config for all of the accounts in your organization, you can use the Enable AWS Config template on the StackSets Sample Templates page. For more information, see Getting Started with AWS Config.

Note: You’ll be charged $100 per policy per month. In the solution in this post, you’ll create three policies. In addition, AWS Config charges also apply. For more information, see AWS Firewall Manager pricing and AWS Config pricing.

Overview

The diagram below illustrates the following steps:

  1. Complete the prerequisites that were outlined in the prerequisites section above.
  2. Select a primary security group within AWS Firewall Manager. This VPC security group gets replicated as a new security group to every resource within the policy scope.
  3. In AWS Firewall Manager, create policies that can be applied to individual application security groups by mapping them to specific application name/value tags. The policies you create will result in the generation of individual new security groups. In this example, EC2 instances are tagged with Env=Prod.
  4. Application developers can build additional app-specific security group rules created in the previous step.

Figure 1: Overview of solution

Figure 1: Overview of solution

Create a common security group policy

You’ll begin by creating a common security group policy to push primary security group rules across all accounts.

  1. Sign in to the AWS Management Console using the AWS Firewall Manager administrator account that you set up in the prerequisites. If you do not have a primary security group built, then open the Amazon VPC console and create your primary security group by following the Create a security group documentation in the Amazon VPC User Guide. For my example, I use the following rules for bastion host connectivity in the US West (Oregon) Region. For ingress rules, access is allowed on Port 22 from 203.0.113.1/32. For egress rules, all traffic on all ports is allowed.
  2. Open the Firewall Manager console and in the navigation pane, under AWS Firewall Manager, choose Security policies.
  3. Using the Filter menu, select the AWS Region where your application is hosted and choose Create policy. In my example, I choose US West (Oregon).
  4. For Policy type, choose Security group.
  5. For Security group policy type, choose Common security groups, then choose Next.
  6. Enter a policy name. In my example, I’ve named my policy Test_Common_Policy.
  7. Policy rules allow you to choose how the security groups in this policy are applied and maintained. For this tutorial, choose Identify and report when the security groups created by this policy become noncompliant, and leave the other options unchecked.
  8. For Primary security groups, choose Add security groups to see all security groups in your account in your specified AWS Region. Select your chosen security groups. For my example, I have chosen the security group from step one that allows bastion host connectivity.
  9. After you select the primary security group, choose Add for your selected security groups.
  10. For Policy action, choose Identify resources that don’t comply with the policy rules, but don’t auto remediate. By selecting this option, Firewall Manager will notify you of any noncompliant security groups, but will not auto-remediate. Choose Next.
  11. For Policy scope, select the following:
    1. For AWS accounts this policy applies to, choose Include all accounts under my organization.
    2. For Resource Type, choose EC2 instances.
    3. For Remediation on EC2 instances, for this example, choose Include only the default elastic network interface on each EC2 instance.
    4. For Resources, choose Include only resources that have all the specified resource tags.
    5. For Resource tags, choose Add new tag.
    6. For Key, enter Env.
    7. For Value, enter Prod.
    8. Choose Next.
  12. Review the security policy, then choose Create policy.

    Figure 2: Summary of Common Security Group policy

    Figure 2: Summary of Common Security Group policy

The security policy will review the EC2 instances in your child accounts in your specified AWS Region and provide a list of noncompliant resources. You can then take the remediation action of changing the security policy action to Auto remediate any noncompliant resources, and the noncompliant security group rules will be removed. Alternatively, you can check the noncompliant resources, then log into the AWS account and take remediation action manually.

Create an audit security group policy

Now, you’ll create a content audit security group policy to apply policy actions to the rules that are in use in your organization’s security groups. I will use the security group rule that allows port 22 access from an allowed IP subnet of 203.0.113.1/32.

  1. In the AWS Management Console, select AWS WAF and AWS Shield.
  2. In the navigation pane, under AWS Firewall Manager, choose Security policies.
  3. In the Filter, select the AWS Region where your application is hosted and choose Create policy. In my example, I will choose US West (Oregon).
  4. For AWS services, choose Security group. For Security group policy type, choose Auditing and enforcement guidelines for security group rules, then choose Next.
  5. Enter a policy name. In my example, I’ve named my policy Test_Audit_Policy.
  6. For Policy rule options, choose Configure custom policy rules.
  7. For Policy rules, select Allow only the rules defined in the audit security groups.
  8. Choose Add security groups to see all security groups in your account in your specified AWS Region.
  9. After you select the audit security group, choose Add.
  10. For Policy action, select Identify resources that don’t comply with the policy rules, but don’t auto remediate. By selecting this option, Firewall Manager will notify you of any noncompliant security groups, but will not auto-remediate. Choose Next.
  11. For Policy scope, select the following:
    1. For AWS accounts this policy applies to, choose Include all accounts under my organization.
    2. For Resource type, choose Security group.
    3. For Resources, choose Include only resources that have all the specified resource tags.
    4. For Resource tags, choose Add new tag.
    5. For Key, enter Env.
    6. For Value, enter Prod.
    7. Choose Next.
  12. Review the security policy and choose Create policy.

Figure 3: Summary of Audit Security Group policy

Figure 3: Summary of Audit Security Group policy

The security policy will audit the security groups in your child accounts that are tagged with Env = Prod in your specified AWS Region. If Firewall Manager detects that security groups exist that allow port 22 access from any source IP range except 203.0.113.1/32, you’re notified when the Firewall Manager service marks the resource as noncompliant. You can then take the remediation step of changing the security policy action to Auto remediate any noncompliant resources. The noncompliant security group rules will then be removed. Alternatively, you can check the noncompliant resources, then log into the AWS account and take remediation action manually.

Create a usage security group policy

Lastly, you’ll create a usage security group policy to remove unused security groups, and to merge redundant security groups.

  1. In the AWS Management Console, select AWS WAF and Shield.
  2. In the navigation pane, under AWS Firewall Manager, choose Security policies. In the Filter, select the AWS Region where your application is hosted and choose Create policy. In my example, I am choosing US West (Oregon).
  3. For AWS services, choose Security group. For Security group policy type, choose Auditing and cleanup of unused and redundant security groups. Choose Next.
  4. Enter a policy name. In my example, I’ve named my policy Test_Usage_Policy.
  5. For Policy rules, select both: Security group within this policy scope must be used by at least one resource, and Security groups within this policy scope must be unique. Also leave minutes since last change set to 0.
  6. For Policy action, select Identify resources that don’t comply with the policy rules, but don’t auto remediate. Choose Next.
  7. For Policy scope, select the following:
    1. For AWS accounts this policy applies to, choose Include all accounts under my organization.
    2. For Resource type, choose Security group.
    3. For Resources, choose Include only resources that have all the specified resource tags.
    4. For Resource tags, choose Add new tag.
    5. For Key, enter Env.
    6. For Value, enter Prod.
    7. Choose Next.
    8. It is a best practice that when you set the policy scope, you exclude the Firewall Manager administrator account. When you create a usage audit security group policy through the console, this is the default option.
  8. Review the security policy and choose Create policy.

Figure 4: Summary of Usage Security Group policy

Figure 4: Summary of Usage Security Group policy

The security policy will review the security groups in your child accounts in your specified AWS Region and check if there are security groups that are not associated with a resource. The security policy will also review if there are duplicate security group rules. Security groups created in the future will also be checked for this. If Firewall Manager detects that a security groups exists that is not associated with a resource or has overlapping rules, you’ll be notified when Firewall Manager Service marks the resource as noncompliant. You can then take the remediation action of editing the security policy action to Auto remediate any noncompliant resources. For redundant security groups, Firewall Manager selects one of the security groups in the set to keep, associates it to the resources that are associated with the other security groups in the set, and then disassociates the other security groups, which renders them unused. Unused security groups are removed in accordance with the policy rule time period. Alternatively, you can check the noncompliant resources, then log into the AWS account and take remediation action manually.

Conclusion

In this post, you learned how you can create AWS Firewall Manager rules using the console. Using both VPC security groups and AWS Firewall Manager, you created a deployment strategy that enables the developers in your organization to maintain a security mindset and begin creating security group rules, while at the same time making sure that the applications are still protected by a set of security group rules defined by your organization’s security team. In addition, you have reduced the likelihood of misconfigured or overly permissive security groups, as well as the operational burden, by simplifying the security groups created in your member accounts.

For further reading, see AWS Firewall Manager Update – Support for VPC Security Groups and How to continuously audit and limit security groups with AWS Firewall Manager.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Firewall Manager forum or contact AWS Support.

 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Kaustubh Phatak

Kaustubh Phatak
Kaustubh is a Cloud Support Engineer II at AWS. On a daily basis, he provides solutions for customers’ cloud architecture questions related to Networking, Security, and DevOps domain. Outside of the office, Kaustubh likes to play cricket, ping-pong, and soccer. He is also an avid console gamer.

Alonza Turner

Alonza Turner
Alonza is a Solutions Architect at AWS based out of Arlington, VA. As a military veteran, he has experience leading and collaborating cross-functionally to achieve success. Today he uses that experience to assist customers across various industries in their journeys of modernization and cloud adoption.