From the very beginning, Amazon AWS introduced a security concept called Security Groups in its Elastic Computing platform (EC2). Every virtual instance must be linked to one or more security groups when it is launched. A security group consists of a set of rules (called permissions) that describe who and how instances can be accessed. They allow to specify port ranges, protocols, and source IP address ranges, and are thus very close to firewall rules.
But security groups are even more powerful since they also allow to grant access to other security groups (instead IP address ranges), which allows dividing infrastructures into different security zones (like DMZ vs Critical Zone) with precise security policies and perimeters.
As far as I could see, there are three major functionalities missing with Security Groups:
- rules can only restrict incoming traffic, not outgoing
- lack of reporting (at least some logging)
- lack of blacklisting to drop/reject malicious IP addresses
The first one (no rules for outgoing traffic) is important since it helps to avoid scenarios where someone wants to win control over a service that itself communicates to the outside. A solution could be the use of additional firewalls like iptables on every virtual instances. The second missing feature (access logs) would help to identify attackers that use port scanners – EC2 may detect and ban some of them, but there’s no information on the granularity of detection and a total lack of transparency for the EC2 customer. The third missing feature (blacklisting) would allow to identify IP addresses that showed malicious behaviour in a given zone (security group) and ban them for all other zones (security groups). This would allow to drown DDoS (Distributed Denial of Service) attacks quickly before the attack reaches other servers.
At the end, some remarks on another feature that is often cited as missing feature: the fact, that an instance cannot change its security groups after launch. I don’t think this should be changed: in terms of security, you should restrict network access before connecting to the network to ensure that there is no vulnerability hole before everything is up and working. In any case, you can simply relaunch your instance with a new security group with new rules.