22

I recently stumbled upon a firewall issue with my EC2 instance. The TCP port was made available to everyone via the EC2 Security Group, however there was still instance-side filtering using iptables. I figured if anything Security Groups are just a fancy API for IPTables. It turns out they're running completely exclusively from what I can tell. Is there any reason to use both? One firewall should be plenty and adding another layer of complexity seems to be a headache just waiting to happen.

In the meantime, I'm contemplating either opening up all ports in my Security Group and then doing all filtering via iptables, or the inverse, disable iptables and use Security Group filtering.

Any feedback on whether or not my logic here is flawed? Am I missing something critical?

imaginative
  • 1,941
  • 9
  • 32
  • 48

3 Answers3

22

The security groups add no load to your server - they are processed externally, and block traffic to and from your server, independent of your server. This provides an excellent first line of defense that is much more resilient than the one residing on your server.

However, security groups are not state-sensitive, you cannot have them respond automatically to an attack for instance. IPTables are well suited to more dynamic rules - either adapting to certain scenarios, or providing finer grained conditional control.

Ideally you should use both to complement each other - block all the ports possible with your security group, and use IPTables to police the remaining ports and protect against attacks.

Community
  • 1
cyberx86
  • 20,620
  • 1
  • 60
  • 80
  • Point of interest (9 years after the answer): security groups and NACLs are processed on the instance hardware, likely in the nitro hardware on modern instances. In the event of a volumetric attack NACLs can be pushed out to the network edge to scale the attack mitigation, for example on CloudFront. – Tim Jul 16 '20 at 20:56
4

Think about the security group like a hardware firewall in a normal networking scenario. I guess you wouldn't really have to use both unless you had a special scenario, for example: you have a security group called webservers that controls access to web servers. You want to block an IP from hitting port 80 on one of those servers but not all of them. So what you would want to do is go into iptables on that one server and do the block, as opposed to doing it in the security group which would apply to all the servers in that security group...

BenGC
  • 1,775
  • 15
  • 26
2

They're both reasonably easy to set up, and having both set up provides protection from an exploit or flaw in one of them.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105