4

Currently I am using only an AWS security group for one of my EC2 instances but have given some thought to adding a firewall to that stack as well. I'd be looking at using either iptables, or possibly migrating the entire system to ubuntu (not related to this problem) so might just end up using ufw.

If I leave this machine protected using only the security group, am I missing out on some protection? I haven't been able to get a good feel for its level of protection when compared to a traditional *nix software firewall.

John Carter
  • 179
  • 2
  • 8

1 Answers1

4

If there's ever a bug or exploit in AWS's security groups implementation, you might wind up vulnerable where having iptables or something similar would've protected you.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
  • Right. This was my guess. So really iptables/similar just have a better track record, there's nothing inherently different/flawed with AWS's 'firewall' (i.e. security groups)? – John Carter Aug 27 '12 at 19:47
  • I've never heard of an issue with the AWS security groups failing thus far, and as it runs at a higher level than the instance it's theoretically better. That said, "defense in depth" is a good idea, and you're rarely going to be hurt by being over-cautious by running both. – ceejayoz Aug 27 '12 at 19:58