AWS Security Group for RDS - Outbound rules

坚强是说给别人听的谎言 提交于 2019-12-04 06:42:08

问题


I have a security group assigned to an RDS instance which allows port 5432 traffic from our EC2 instances.

However, this security group has all outbound traffic enabled for all traffic for all IP's.

Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?


回答1:


What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

It is a good idea to have a clear control over outbound connections as well.

In your RDS group: delete all outbound rules (by default, there is rule that allows outbound connections to all ports and IP's -> just delete this "all-anywhere" rule).

Your DB will receive inbound requests through port 5432 from your EC2 instance, and RDS will respond back to your EC2 instance through the very same connection, no outbound rules need to be defined in this case at all.




回答2:


By default, all Amazon EC2 security groups:

  • Deny all inbound traffic
  • Allow all outbound traffic

You must configure the security group to permit inbound traffic. Such configuration should be limited to the minimal possible scope. That is, the fewest protocols necessary and smallest IP address ranges necessary.

Outbound access, however, is traditionally kept open. The reason for this is that you would normally "trust" your own systems. If they wish to access external resources, let them do so.

You are always welcome to restrict Outbound access, especially for sensitive systems. However, determining which ports to keep open may be a challenge. For example, instances may want to download Operating System updates, access Amazon S3 or send emails.




回答3:


When using Security Goups (as opposed to ACL rules) all inbound traffic is automatically allowed in outbound traffic so outbound rules may be empty in your case.

Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

It's a risk only if you RDS is in a public subnet inside your VPC.

Best practices recommend in your scenario to have a public subnet within your web server and a private subnet for all private resources (RDS, other private services, etc).

As you can see in the image, hosting your RDS inside a private subnet there is no way to access it from outside your VPC



来源:https://stackoverflow.com/questions/40395934/aws-security-group-for-rds-outbound-rules

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!