AWS: A default security group with no rules?

1
votes

I am setting up a VPC on AWS. It has a public subnet and two private subnets. The public subnet is for web servers. The private subnets are for high availability databases. I am securing the resources using Security Groups, not Network ACL's.

The default security group which was created when I created the VPC allows all outbound traffic, and only allows inbound traffic from other subnets in the VPC. I'm not sure exactly what kind of servers I'll be deploying in the future - more web servers, more RDS instance, something else? In light of this, I think my default security group should allow no traffic inbound or outbound. Does that make sense?

In this way, if I forget to explicitly choose the security group when I launch an instance, the server is isolated from all other resources.

1
securityamazon-web-services

1 Answers

2
votes

Given your design, a recommended security configuration is:

  • Put your load balancer in the public subnet: It is public-facing
  • Put your web servers in a private subnet: This keeps them secure by removing direct access from the Internet

This way, if you launch a future instance in the private subnet, it is more secure than launching in a public subnet. Security groups are then an extra layer of security.

Given that you are aiming for High Availability, also spread your web servers across multiple Availability Zones. An easy way to do this is to use Auto Scaling, which distributes instances evenly across Availability Zones and has the benefit of scaling in/out to meet demand while minimizing costs.

For an example architecture, see the Web Application Hosting reference architecture in the AWS Architecture Center.