适用于 RDS 的 AWS 安全组 - 出站规则 [英] AWS Security Group for RDS - Outbound rules

问题描述

我有一个安全组分配给一个 RDS 实例，它允许来自我们 EC2 实例的端口 5432 流量.

I have a security group assigned to an RDS instance which allows port 5432 traffic from our EC2 instances.

但是，此安全组为所有 IP 的所有流量启用了所有出站流量.

However, this security group has all outbound traffic enabled for all traffic for all IP's.

这是否存在安全风险?理想的出站安全规则应该是什么?在我看来，RDS 安全组的出站流量应该限制在 5432 端口到我们的 EC2 实例，对吗?

Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

推荐答案

理想的出站安全规则应该是什么?在我看来，RDS 安全组的出站流量应该限制在 5432 端口到我们的 EC2 实例，对吗?

What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

对出站连接进行明确控制也是一个好主意.

It is a good idea to have a clear control over outbound connections as well.

在您的 RDS 组中:删除所有出站规则(默认情况下，有规则允许到所有端口和 IP 的出站连接 -> 只需删除此all-anywhere"规则即可).

In your RDS group: delete all outbound rules (by default, there is rule that allows outbound connections to all ports and IP's -> just delete this "all-anywhere" rule).

您的数据库将通过端口 5432 从您的 EC2 实例接收入站请求，而 RDS 将通过完全相同的连接响应您的 EC2 实例，在这种情况下根本不需要定义出站规则.

Your DB will receive inbound requests through port 5432 from your EC2 instance, and RDS will respond back to your EC2 instance through the very same connection, no outbound rules need to be defined in this case at all.

这篇关于适用于 RDS 的 AWS 安全组 - 出站规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！