New

To create a new security group, the following information must be provided:

• Owner - Ownership of cloud resources is based upon the AWS account number.
• Group Name - A short nickname of the security group.
• Group Description - A short description of the security group.
• Scope - Select 'Standard' if you are working with a non-VPC cloud. Select 'VPC' (Virtual Private Cloud) if you are creating an isolated, private section of AWS Cloud where you can create virtual network environments, subnets, and other advanced security features.
• Permissions - You can chose some basic ports to have open. Once you create the security group, you can edit it and open up other ports.

Index

Security Groups are essentially firewalls for EC2 servers. It defines which ports are opened in Amazon's firewall to allow incoming connections to your instance. When you launch an EC2 server, you must assign it at least one security group. Amazon security groups are EC2 region-specific (i.e. You cannot assign a server in EC2-EU a security group that you defined in EC2-US). In order for servers to communicate with one another, you must assign them the same security group(s). You can also assign multiple security groups to a single server to create an additional layer of security. For example, you might not want your frontend load balancers to have the same level of access to your database as your application servers. Therefore, you create and assign one security group that allows the load balancers to communicate with your application servers, while a different security group allows the application servers to communicate with your database servers.

Security groups are especially useful if you have multiple deployments that require different levels of accessibility. For example, you might want to create separate security groups for public and private deployments. The "Production" deployment will be accessible to the public and have ports 22 and 80 open, whereas the "Staging" deployment is used for internal development/testing and should be closed to the public.

All security groups must have port 22 open in order to support root level access to your machine via ssh. Port 80 needs to be open in order to make the web server open to the public. If you need SSL, you will need to add port 443. If there are other services that need to be publicly accessible, you'll also need to create the appropriate open ports. Use CIDR notation to control the range of IP addresses that will be allowed access. 0.0.0.0/0 (default) allows access to any IP address whereas 0.0.0.0/32 denies access to all IP addresses.

Note: You can only create a security group with a Developer or Premium account.

- -

Show

View or edit basic information about the security group including who created the security group and its current open port settings. If you need SSL, you will need to add port 443. If there are other services that need to be publicly accessible, you'll also need to create the appropriate open ports. Use CIDR notation to control the range of IP addresses that will be allowed access. 0.0.0.0/0 (default) allows access to any IP address whereas 0.0.0.0/32 denies access to all IP addresses. Specify the following settings for your security group:

• Protocol type (TCP, UDP, ICMP)
• IP address (specific IP or any IP)
• Port (specific port, port range, or any port)
• Allow access for other defined security groups

If you wish to deny access, simply revoke (delete/remove) the permission. You can also add a group, where the permissions that are defined in the other security group will be inherited. Simply specify the name of an existing security group (within the same EC2 region). But be careful--any changes to the added group will take immediate effect. Therefore, it's better to manage permissions by assigning multiple security groups to a server instead of nesting security group permissions within each other.

Note: You cannot launch an instance that references a deleted security group.

Audit Entries tab

Action Buttons

• Delete - Delete the Security Group from the account. Fields

• Timestamp - A timestamp of when the action was performed. Date and time are based upon the time zone that's defined in your user settings (Settings > User > Preferences). Click a timestamp to highlight any audit entries that were created at the particular time.

• Subject - The name of the Security Group.
• User - If a user manually performed an action within the Dashboard the user's email will be listed. If an alert escalation triggered an action, such as an email or relaunching a server, the user will be alerter@rightscale.com. Otherwise it will be labeled "N/A" (not applicable).
• Summary - View a detailed audit entry of the task. Useful for troubleshooting.

Info tab

Action Buttons

• Delete - Delete the Security Group from the account.

Fields

• Description - User-defined description of the Security Group.
• Owner - The user that created the Security Group. For EC2, the owner of the security group is the AWS Account Number, not the specific user who created the security group.
• ID - The resource ID for the Security Group. You can use this value or the security group name to add a group firewall permission.
• Created - The timestamp of when the Security Group was created.
• Updated - The timestamp of when the Security Group was last updated.
• Permissions - A list of the permissions allowed for the security group.