Security groups
In AWS VPCs, AWS Security Groups act as virtual firewalls, controlling the traffic for one or more stacks (an instance
or a set of instances).
When a stack is launched, it's associated with one or more security groups, which determine what traffic is allowed to
reach it:
For stacks in your public subnets, the default security groups accept traffic from HTTP (80)
and HTTPS (443) from all locations (the internet). The stacks also accept internal
SSH and RDP traffic from your corporate network, and AWS bastions. Those stacks can
then egress through any port to the Internet. They can also egress to your private
subnets and other stacks in your public subnet.
Stacks in your private subnets can egress to any other stack in your private subnet, and instances within a stack can fully communicate
over any protocol with each other.
The default security group for stacks on private subnets allows all stacks in your private
subnet to communicate with other stacks in that private subnet. If you want to restrict
communications between stacks within a private subnet, you must create new security
groups that describe the restriction. For example, if you want to restrict
communications to a database server so that the stacks in that private subnet can only
communicate from a specific application server over a specific port, request a special
security group. How to do so is described in this section.
Default Security Groups
- MALZ
-
The following table describes the default inbound security group (SG) settings for your stacks.
The SG is named "SentinelDefaultSecurityGroupPrivateOnly-vpc-ID" where ID
is a VPC ID in your AMS multi-account landing zone account. All traffic is allowed outbound to "mc-initial-garden-SentinelDefaultSecurityGroupPrivateOnly" via this security group
(all local traffic within stack subnets is allowed).
All traffic is allowed outbound to 0.0.0.0/0 by a second security group "SentinelDefaultSecurityGroupPrivateOnly".
If you're choosing a security group for an AMS change type, such as EC2 create, or
OpenSearch create domain, you would use one of the default security groups
described here, or a security group that you created. You can find the list of
security groups, per VPC, in either the AWS EC2 console or VPC console.
There are additional default security groups that are used for internal AMS purposes.
|
| Type |
Protocol |
Port range |
Source |
All traffic |
All |
All |
SentinelDefaultSecurityGroupPrivateOnly (restricts outbound traffic to members of the same
security group) |
All traffic |
All |
All |
SentinelDefaultSecurityGroupPrivateOnlyEgressAll (does not restrict outbound traffic) |
HTTP, HTTPS, SSH, RDP |
TCP |
80 / 443 (Source 0.0.0.0/0)
SSH and RDP access is allowed from bastions |
SentinelDefaultSecurityGroupPublic (does not restrict outbound traffic) |
MALZ bastions: |
SSH |
TCP |
22 |
SharedServices VPC CIDR and DMZ VPC CIDR, plus Customer-provided on-prem CIDRs |
SSH |
TCP |
22 |
RDP |
TCP |
3389 |
RDP |
TCP |
3389 |
SALZ bastions: |
SSH |
TCP |
22 |
mc-initial-garden-LinuxBastionSG |
SSH |
TCP |
22 |
mc-initial-garden-LinuxBastionDMZSG |
RDP |
TCP |
3389 |
mc-initial-garden-WindowsBastionSG |
RDP |
TCP |
3389 |
mc-initial-garden-WindowsBastionDMZSG |
- SALZ
-
The following table describes the default inbound security group (SG) settings for your stacks.
The SG is named "mc-initial-garden-SentinelDefaultSecurityGroupPrivateOnly-ID" where ID
is a unique identifier. All traffic is allowed outbound to "mc-initial-garden-SentinelDefaultSecurityGroupPrivateOnly" via this security group
(all local traffic within stack subnets is allowed).
All traffic is allowed outbound to 0.0.0.0/0 by a second security group
"mc-initial-garden-SentinelDefaultSecurityGroupPrivateOnlyEgressAll-ID".
If you're choosing a security group for an AMS change type, such as EC2 create, or
OpenSearch create domain, you would use one of the default security groups
described here, or a security group that you created. You can find the list of
security groups, per VPC, in either the AWS EC2 console or VPC console.
There are additional default security groups that are used for internal AMS purposes.
|
| Type |
Protocol |
Port range |
Source |
All traffic |
All |
All |
SentinelDefaultSecurityGroupPrivateOnly (restricts outbound traffic to members of the same
security group) |
All traffic |
All |
All |
SentinelDefaultSecurityGroupPrivateOnlyEgressAll (does not restrict outbound traffic) |
HTTP, HTTPS, SSH, RDP |
TCP |
80 / 443 (Source 0.0.0.0/0)
SSH and RDP access is allowed from bastions |
SentinelDefaultSecurityGroupPublic (does not restrict outbound traffic) |
MALZ bastions: |
SSH |
TCP |
22 |
SharedServices VPC CIDR and DMZ VPC CIDR, plus Customer-provided on-prem CIDRs |
SSH |
TCP |
22 |
RDP |
TCP |
3389 |
RDP |
TCP |
3389 |
SALZ bastions: |
SSH |
TCP |
22 |
mc-initial-garden-LinuxBastionSG |
SSH |
TCP |
22 |
mc-initial-garden-LinuxBastionDMZSG |
RDP |
TCP |
3389 |
mc-initial-garden-WindowsBastionSG |
RDP |
TCP |
3389 |
mc-initial-garden-WindowsBastionDMZSG |
Create, Change, or Delete Security Groups
You can request custom security groups. In cases where the default security groups do not meet the needs of your applications or your organization,
you can modify or create new security groups. Such a request would be considered approval-required and would be reviewed by the AMS operations team.
To create a security group outside of stacks and VPCs, submit an RFC using the Management | Other | Other | Create CT (ct-1e1xtak34nx76).
To add or remove a user from an Active Directory (AD) security group, submit a request
for change (RFC) using the Management | Other | Other | Update CT
(ct-0xdawir96cy7k).
When using "review required" CTs, AMS recommends that you use the ASAP Scheduling option
(choose ASAP in the console, leave start and end time blank in the API/CLI) as these CTs require an AMS operator to examine the RFC, and
possibly communicate with you before it can be approved and run. If you schedule these RFCs, be sure to allow at least 24 hours. If approval does not
happen before the scheduled start time, the RFC is rejected automatically.
Find Security Groups
To find the security groups attached to a stack or instance, use the EC2 console. After finding the stack or instance, you can
see all security groups attached to it.
For ways to find security groups at the command line and filter the output, see describe-security-groups.
