Security groups - AMS Advanced User Guide

Security groups

In AWS VPCs, AWS Security Groups act as virtual firewalls, controlling the traffic for one or more stacks (an instance or a set of instances). When a stack is launched, it's associated with one or more security groups, which determine what traffic is allowed to reach it:

  • For stacks in your public subnets, the default security groups accept traffic from HTTP (80) and HTTPS (443) from all locations (the internet). The stacks also accept internal SSH and RDP traffic from your corporate network, and AWS bastions. Those stacks can then egress through any port to the Internet. They can also egress to your private subnets and other stacks in your public subnet.

  • Stacks in your private subnets can egress to any other stack in your private subnet, and instances within a stack can fully communicate over any protocol with each other.

Important

The default security group for stacks on private subnets allows all stacks in your private subnet to communicate with other stacks in that private subnet. If you want to restrict communications between stacks within a private subnet, you must create new security groups that describe the restriction. For example, if you want to restrict communications to a database server so that the stacks in that private subnet can only communicate from a specific application server over a specific port, request a special security group. How to do so is described in this section.

Default Security Groups

MALZ

The following table describes the default inbound security group (SG) settings for your stacks. The SG is named "SentinelDefaultSecurityGroupPrivateOnly-vpc-ID" where ID is a VPC ID in your AMS multi-account landing zone account. All traffic is allowed outbound to "mc-initial-garden-SentinelDefaultSecurityGroupPrivateOnly" via this security group (all local traffic within stack subnets is allowed).

All traffic is allowed outbound to 0.0.0.0/0 by a second security group "SentinelDefaultSecurityGroupPrivateOnly".

Tip

If you're choosing a security group for an AMS change type, such as EC2 create, or OpenSearch create domain, you would use one of the default security groups described here, or a security group that you created. You can find the list of security groups, per VPC, in either the AWS EC2 console or VPC console.

There are additional default security groups that are used for internal AMS purposes.

AMS default security groups (inbound traffic)
Type Protocol Port range Source

All traffic

All

All

SentinelDefaultSecurityGroupPrivateOnly (restricts outbound traffic to members of the same security group)

All traffic

All

All

SentinelDefaultSecurityGroupPrivateOnlyEgressAll (does not restrict outbound traffic)

HTTP, HTTPS, SSH, RDP

TCP

80 / 443 (Source 0.0.0.0/0)

SSH and RDP access is allowed from bastions

SentinelDefaultSecurityGroupPublic (does not restrict outbound traffic)

MALZ bastions:

SSH

TCP

22

SharedServices VPC CIDR and DMZ VPC CIDR, plus Customer-provided on-prem CIDRs

SSH

TCP

22

RDP

TCP

3389

RDP

TCP

3389

SALZ bastions:

SSH

TCP

22

mc-initial-garden-LinuxBastionSG

SSH

TCP

22

mc-initial-garden-LinuxBastionDMZSG

RDP

TCP

3389

mc-initial-garden-WindowsBastionSG

RDP

TCP

3389

mc-initial-garden-WindowsBastionDMZSG

SALZ

The following table describes the default inbound security group (SG) settings for your stacks. The SG is named "mc-initial-garden-SentinelDefaultSecurityGroupPrivateOnly-ID" where ID is a unique identifier. All traffic is allowed outbound to "mc-initial-garden-SentinelDefaultSecurityGroupPrivateOnly" via this security group (all local traffic within stack subnets is allowed).

All traffic is allowed outbound to 0.0.0.0/0 by a second security group "mc-initial-garden-SentinelDefaultSecurityGroupPrivateOnlyEgressAll-ID".

Tip

If you're choosing a security group for an AMS change type, such as EC2 create, or OpenSearch create domain, you would use one of the default security groups described here, or a security group that you created. You can find the list of security groups, per VPC, in either the AWS EC2 console or VPC console.

There are additional default security groups that are used for internal AMS purposes.

AMS default security groups (inbound traffic)
Type Protocol Port range Source

All traffic

All

All

SentinelDefaultSecurityGroupPrivateOnly (restricts outbound traffic to members of the same security group)

All traffic

All

All

SentinelDefaultSecurityGroupPrivateOnlyEgressAll (does not restrict outbound traffic)

HTTP, HTTPS, SSH, RDP

TCP

80 / 443 (Source 0.0.0.0/0)

SSH and RDP access is allowed from bastions

SentinelDefaultSecurityGroupPublic (does not restrict outbound traffic)

MALZ bastions:

SSH

TCP

22

SharedServices VPC CIDR and DMZ VPC CIDR, plus Customer-provided on-prem CIDRs

SSH

TCP

22

RDP

TCP

3389

RDP

TCP

3389

SALZ bastions:

SSH

TCP

22

mc-initial-garden-LinuxBastionSG

SSH

TCP

22

mc-initial-garden-LinuxBastionDMZSG

RDP

TCP

3389

mc-initial-garden-WindowsBastionSG

RDP

TCP

3389

mc-initial-garden-WindowsBastionDMZSG

Create, Change, or Delete Security Groups

You can request custom security groups. In cases where the default security groups do not meet the needs of your applications or your organization, you can modify or create new security groups. Such a request would be considered approval-required and would be reviewed by the AMS operations team.

To create a security group outside of stacks and VPCs, submit an RFC using the Management | Other | Other | Create CT (ct-1e1xtak34nx76).

To add or remove a user from an Active Directory (AD) security group, submit a request for change (RFC) using the Management | Other | Other | Update CT (ct-0xdawir96cy7k).

Note

When using "review required" CTs, AMS recommends that you use the ASAP Scheduling option (choose ASAP in the console, leave start and end time blank in the API/CLI) as these CTs require an AMS operator to examine the RFC, and possibly communicate with you before it can be approved and run. If you schedule these RFCs, be sure to allow at least 24 hours. If approval does not happen before the scheduled start time, the RFC is rejected automatically.

Find Security Groups

To find the security groups attached to a stack or instance, use the EC2 console. After finding the stack or instance, you can see all security groups attached to it.

For ways to find security groups at the command line and filter the output, see describe-security-groups.