In AWS VPCs, AWS Security Groups act as virtual firewalls, controlling the traffic for one or more stacks (an instance or a set of instances). When a stack is launched, it's associated with one or more security groups, which determine what traffic is allowed to reach it:
For stacks in your public subnets, the default security groups accept traffic from HTTP (80) and HTTPS (443) from all locations (the internet). The stacks also accept internal SSH and RDP traffic from your corporate network, and AWS bastions. Those stacks can then egress through any port to the Internet. They can also egress to your private subnets and other stacks in your public subnet.
Stacks in your private subnets can egress to any other stack in your private subnet, and instances within a stack can fully communicate over any protocol with each other.
Important
The default security group for stacks on private subnets allows all stacks in your private subnet to communicate with other stacks in that private subnet. If you want to restrict communications between stacks within a private subnet, you must create new security groups that describe the restriction. For example, if you want to restrict communications to a database server so that the stacks in that private subnet can only communicate from a specific application server over a specific port, request a special security group. How to do so is described in this section.
Default Security Groups
The following table describes the default inbound security group (SG) settings for your stacks.
The SG is named "SentinelDefaultSecurityGroupPrivateOnly-vpc-ID" where ID
is a VPC ID in your AMS multi-account landing zone account. All traffic is allowed outbound to "mc-initial-garden-SentinelDefaultSecurityGroupPrivateOnly" via this security group
(all local traffic within stack subnets is allowed).
All traffic is allowed outbound to 0.0.0.0/0 by a second security group "SentinelDefaultSecurityGroupPrivateOnly".
Tip
If you're choosing a security group for an AMS change type, such as EC2 create, or OpenSearch create domain, you would use one of the default security groups described here, or a security group that you created. You can find the list of security groups, per VPC, in either the AWS EC2 console or VPC console.
There are additional default security groups that are used for internal AMS purposes.
| Type | Protocol | Port range | Source |
|---|---|---|---|
All traffic |
All |
All |
SentinelDefaultSecurityGroupPrivateOnly (restricts outbound traffic to members of the same security group) |
All traffic |
All |
All |
SentinelDefaultSecurityGroupPrivateOnlyEgressAll (does not restrict outbound traffic) |
HTTP, HTTPS, SSH, RDP |
TCP |
80 / 443 (Source 0.0.0.0/0) SSH and RDP access is allowed from bastions |
SentinelDefaultSecurityGroupPublic (does not restrict outbound traffic) |
MALZ bastions: | |||
SSH |
TCP |
22 |
SharedServices VPC CIDR and DMZ VPC CIDR, plus Customer-provided on-prem CIDRs |
SSH |
TCP |
22 | |
RDP |
TCP |
3389 | |
RDP |
TCP |
3389 | |
SALZ bastions: | |||
SSH |
TCP |
22 |
mc-initial-garden-LinuxBastionSG |
SSH |
TCP |
22 |
mc-initial-garden-LinuxBastionDMZSG |
RDP |
TCP |
3389 |
mc-initial-garden-WindowsBastionSG |
RDP |
TCP |
3389 |
mc-initial-garden-WindowsBastionDMZSG |
Create, Change, or Delete Security Groups
You can request custom security groups. In cases where the default security groups do not meet the needs of your applications or your organization, you can modify or create new security groups. Such a request would be considered approval-required and would be reviewed by the AMS operations team.
To create a security group outside of stacks and VPCs, submit an RFC using the Management | Other | Other | Create CT (ct-1e1xtak34nx76).
To add or remove a user from an Active Directory (AD) security group, submit a request
for change (RFC) using the Management | Other | Other | Update CT
(ct-0xdawir96cy7k).
Note
When using "review required" CTs, AMS recommends that you use the ASAP Scheduling option (choose ASAP in the console, leave start and end time blank in the API/CLI) as these CTs require an AMS operator to examine the RFC, and possibly communicate with you before it can be approved and run. If you schedule these RFCs, be sure to allow at least 24 hours. If approval does not happen before the scheduled start time, the RFC is rejected automatically.
Find Security Groups
To find the security groups attached to a stack or instance, use the EC2 console. After finding the stack or instance, you can see all security groups attached to it.
For ways to find security groups at the command line and filter the output, see describe-security-groups.
