简体繁体 English

AWS 云中的安全组

[英]Security Group in AWS Cloud

原文 2022-12-31 17:27:01 3 2 security/ amazon-ec2/ outbound/ inbound-security-rule

As we know security groups are statefull in AWS Cloud.正如我们所知，安全组在 AWS 云中是有状态的。 while launching ec2 instances when we allow inbound rules for specific port it must allow that specific traffic at outbound instead it will allowing all tarffic why is this so?当我们允许特定端口的入站规则时启动 ec2 实例时，它必须允许出站的特定流量，而不是允许所有 tarffic 为什么会这样？

launched ec2 instance in inbound I allowed ssh at port 22 and http at port 80 https at port 443 in outbound it automatically allowed all traffic instead of these three protocol在入站中启动 ec2 实例我允许 ssh 在端口 22 和 http 在端口 80 https 在端口 443 在出站它自动允许所有流量而不是这三个协议

2 个解决方案

A security group controls the traffic that is allowed to reach and leave your EC2 instance.安全组控制允许到达和离开您的 EC2 实例的流量。 Did you use default SG?您是否使用默认 SG？ By default, SG Allows all outbound IPv4 and IPv6 traffic.默认情况下，SG 允许所有出站 IPv4 和 IPv6 流量。

So if you need, you could manually deny all outbound traffic and allow only 80 443 and 22 ports.因此，如果需要，您可以手动拒绝所有出站流量并仅允许 80 443 和 22 端口。

A few points:几点：

As you said, security groups are stateful.正如您所说，安全组是有状态的。 If a SG rule allows a request to reach an instance, then the response can go out.如果 SG 规则允许请求到达实例，则响应可以 go 出。
Outbound rules are for traffic originating from your instance.出站规则适用于源自您的实例的流量。 It controls what IPs the instances within the SG can talk to.它控制 SG 中的实例可以与之通信的 IP。 They don't apply to responses for incoming requests.它们不适用于传入请求的响应。
The predefined rules in the web console are just there for your convenience, using the commonly used ports for HTTP/HTTPS/SSH and so on. web 控制台中的预定义规则只是为了您的方便，使用 HTTP/HTTPS/SSH 等常用端口。 The actual rules that apply are for TCP traffic on these specific ports.适用的实际规则适用于这些特定端口上的 TCP 流量。