Securing VPC Resources with Security Groups
SPL-255 - Version 1.0.2
© 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.
Corrections, feedback, or other questions? Contact us at AWS Training and Certification.
Security groups are virtual firewalls attached to Amazon Elastic Compute Cloud (Amazon EC2) instances. Security group rules define what traffic is allowed in or out of an instance. In this lab, you are a security monitor tasked with configuring access rules for Amazon EC2 instances. You must ensure that only authorized traffic is allowed into each instance. To accomplish this task, review what traffic should be allowed, and inspect the security group rules attached to an instance. Then, test connectivity and correct any misconfigured rules.
In this lab, an instance named AppServer, which acts as an application server, has been launched into a private subnet. This means that the instance is not accessible directly from the internet. To test the AppServer security group rules, you will first connect to an intermediary Amazon EC2 instance in a public subnet of the same virtual private cloud (VPC). The intermediary instance is known as a bastion host (or jump server) and therefore is named BastionHost. From the BastionHost connection, you will connect to and test the security group rules of the AppServer instance in the private subnet. Implementing a bastion host/jump server model is a common network security configuration to remotely administer private subnet resources.
There is a second Amazon EC2 instance named PublicServer in the public subnet. You will first use PublicServer to test and ensure that SSH traffic is only allowed into AppServer from BastionHost. This minimizes the risk of unauthorized SSH operations on AppServer. Later, you will duplicate security configuration from BastionHost to PublicServer to create a second bastion host for redundancy.
For simplicity, the agent for the AWS Systems Manager service has been installed on BastionHost and PublicServer. This allows you to use the Systems Manager Session Manager to instantly create an SSH session to either of those instances using a preconfigured URL in your browser. Toward the end of the lab, you will investigate more about Session Manager as an alternative to using a traditional bastion host.
Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive, one-click, browser-based shell or through the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your managed instances.
After completing this lab, you will be able to:
- Examine security groups and determine what traffic is allowed.
- Change which security groups are applied to Amazon EC2 instances.
- Update security groups to follow the principle of least privilege.
- Understand how security groups can reference other security groups.
- Understand how to leverage Session Manager to connect to instances.
This lab requires:
Access to a notebook computer with Wi-Fi and Microsoft Windows, macOS, or Linux (Ubuntu, SuSE, or Red Hat)
Note The lab environment is not accessible using an iPad or tablet device, but you can use these devices to access the student guide.
For Microsoft Windows users: Administrator access to the computer
An internet browser such as Chrome, Firefox, or Internet Explorer 9 (previous versions of Internet Explorer are not supported)
Optional: An SSH client such as PuTTY
This lab requires about 45 minutes to complete.
AWS services not used in this lab
AWS services that are not used in this lab are disabled in the lab environment. In addition, the capabilities of the services used in this lab are limited to what the lab requires. Expect errors when accessing other services or performing actions beyond those provided in this lab guide.
Wenn Sie sich in Qwiklabs anmelden, erhalten Sie Zugriff auf den Rest des Labs – und mehr!
- Sie erhalten vorübergehenden Zugriff auf Amazon Web Services-Konsole.
- Mehr als 200 Labs für Einsteiger und Experten.
- In kurze Sinneinheiten eingeteilt, damit Sie in Ihrem eigenen Tempo lernen können.