Security Group - VittorioDeMarzi/hero-beans GitHub Wiki

🔐 What are Security Groups (SGs) in AWS?

They are virtual firewalls that control inbound and outbound traffic for your resources (like EC2 instances, ALBs, RDS databases, etc.).

  • They operate at the instance level, not the subnet level. This means each EC2 instance or ALB can have one or more Security Groups associated with it.
  • They are stateful, which is a key difference from traditional firewalls. If you allow inbound traffic on port 8080, the corresponding outbound response is automatically allowed, even without a specific outbound rule.
  • You can use another Security Group as a source/destination instead of an IP address. This is a powerful feature that allows you to securely connect services, like an ALB to EC2 instances, without opening ports to the entire internet.

🧩 Why This Step is Important

In the architecture from the Tech Hero course, we have an Application Load Balancer (ALB) and EC2 instances. A proper Security Group setup is crucial.

  • The ALB must receive requests from the public internet. → It needs a Security Group (let's call it SG-ALB) that is open on port 80 for HTTP (and later 443 for HTTPS).

  • The EC2 instances must only receive traffic from the Load Balancer. → We do not want anyone on the internet to directly access our application at http://<ec2-public-ip>:8080. The solution is to create a rule that says: only traffic coming from the SG-ALB can reach the EC2 instances on port 8080. Essentially, the public talks to the ALB, and only the ALB is allowed to talk to your instances.

  • SSH access should be restricted to your IP. → To prevent automated brute-force attacks on SSH, you should only allow access to port 22 from your personal IP address (e.g., 203.0.113.55/32).

✅ What You Actually Need to Do

Following the example from the Tech Hero course:

  1. Create a new Security Group for the ALB (we'll call it SG-ALB) with the following rules:

    • Inbound: HTTP on port 80 from source 0.0.0.0/0 (and ::/0 if you want to allow IPv6).
    • Outbound: All traffic (the default is fine).

  2. Modify the existing Security Group for your EC2 instances:

    • Remove any inbound rule that opens port 8080 to the world (0.0.0.0/0).
    • Add a new inbound rule: Custom TCP on port 8080Source: SG-ALB (you can type the ID of the ALB's security group here).
    • Keep the inbound rule for SSH on port 22 open only to your IP address.

🔎 Why This is a Good Idea

  • It's an AWS security best practice: Never expose your backend instances' application ports directly to the internet.
  • If you don't do this → Anyone who finds your EC2 instance's public IP can attack it directly, bypassing the load balancer and any protections it offers (e.g., DDoS, brute-force attacks, application exploits).
  • If you do this → The only public entry point to your application is the ALB. This allows you to centralize security and add further layers of protection like AWS WAF (Web Application Firewall), HTTPS, and rate limiting.