EC2 Security Groups

Introduction to Security Groups

An EC2 security group is basically a set of firewall rules that can be applied to EC2 instances. Each rule specifies a protocol (TCP or UDP), starting and ending port numbers, and an optional network. When a group is applied to a system, only traffic matching one of the rules will be allowed through. All other traffic will be dropped.

In addition, a security group can list other groups to allow traffic from, regardless of port or address. This will then match other EC2 systems using one of the selected groups. This feature is useful for allowing arbitrary connections between your own machines, while applying stricter restrictions on other systems.

By default every EC2 account has a security group named default that allows connections on a limited number of ports. Cloudmin will create a group named virtualmin when you create a system that allows all the ports typically used for web hosting, such as 110, 80, 443 and 25.

Editing a Security Group

If you want to change the rules for an existing group, the steps to take are :

  1. Go to Amazon EC2 -> EC2 Security Groups, and click on the group you want to edit.
  2. On the page that appears all current rules will be listed. You can change the port range, protocol or allowed addresses for some rule, or use the empty row at the bottom to add a new rule.
  3. To allow network traffic from systems on some other group (or this group), select an EC2 account in the Allowed security groups section and enter the group name in the adjacent field.
  4. Click the Save button to activate your changes.

To create a new group, go to the EC2 Security Groups page and click the Create group for link for the EC2 account you want to add it under. Then fill in rules form with protocols and ports to accept. Make sure you allow at least port 22 (for SSH) and port 10000 (for Webmin), or Cloudmin's access to systems using this security group may be blocked.

To delete a security group that is not in use, check the box next to it on the EC2 Security Groups page and hit the Delete Selected Security Groups button.

Applying a Security Group

A security group can be selected when creating a new EC2 system, using the EC2 security groups field under Advanced options. Actually, you can choose several groups, and traffic matching rules from any of them will be allowed. If you have multiple EC2 accounts in Cloudmin, only groups for the account selected to own the new system can be used though.

If no security group is chosen, just the default group will be used. If a group is changed after system creation (such as to add a new port), it will be immediately applied to all virtual systems using that group. There is no way to select different groups for a system after it is created though.