什么是当我设置了AWS EB首次创建的默认安全组？ [英] What are the default security groups created when I set up AWS EB for the first time?

问题描述

我很困惑通过，似乎已自动添加到我的AWS安全组，连接我收集的名单几组扮演的角色是默认配置，并且想知道他们是如何工作（以及什么对他们是是安全的改变）。具体有三个是神秘的：

I'm puzzled by the role played by several groups that seem to have been added automatically to my list of AWS security groups, connected in what I gather is the default configuration, and wonder how they work (and what about them it is safe to change). Specifically there are three that are mysterious:

• 的启动向导1 其中有一个入站规则SSH，TCP，22，0.0.0.0/0。
• 默认描述为对所有流量的入站规则默认VPC安全组，并使用所有端口的自身的作为源。
• default_elb _... 描述为ELB创建时ELB创建过程中没有指定安全组安全组使用 - 修改可能影响交通未来ELBs其中有一个入站所有IP地址的规则，允许HTTP

• launch-wizard-1 which has an inbound rule SSH, TCP, 22, 0.0.0.0/0.
• default described as "default VPC security group" which has an inbound rule for all traffic and all ports that uses itself as a source.
• default_elb_... described as "ELB created security group used when no security group is specified during ELB creation - modifications could impact traffic to future ELBs" which has an inbound rule allowing HTTP from all IP addresses

前两个似乎没有被连接到任何其他的安全组，而后者则是源为一个用于入站HTTP规则中的的安全组为我的弹性豆茎环境的每个的。

The first two do not appear to be connected to any other security groups, while the latter is the source for a for an inbound HTTP rule in each of the security groups for my Elastic Beanstalk environments.

做这些做三组办？我可以改变呢？或更改连接到他们？

What do these do three groups do? Can I change them? Or change connections to them?

例如，后面的规则似乎已经允许从任何地方我所有的EB环境HTTP流量的影响。我可以更改这个规则来限制IP地址（向所有环境）？我可以取消勾的规则从给定的EB环境源（如替换它与IP范围源）？

For example, the latter rule seems to have the effect of allowing HTTP traffic from anywhere to all of my EB environments. Can I change this rule to limit IPs (to to all environments)? Can I "un hook" the rule as a source from a given EB environment (e.g. replacing it as a source with a range of IPs)?

推荐答案

看起来你有什么安全组是一个句柄：应用到EC2实例的状态防火墙

Looks like you've got a handle on what a security group is: a stateful firewall that is applied to EC2 instances.

当你手动从Web控制台启动一个EC2虚拟机，AWS将为您提供重新使用现有的安全组或创建一个新的选择。当您创建一个新的，默认的规则是SSH（端口22）和的的启动向导 - ＃的默认安全组名称。

When you manually launch an EC2 VM from the web console, AWS will provide you with the option of reusing an existing security group or creating a new one. When you create a new one, the default rule is SSH (port 22) and a default security group name of "launch-wizard-#".

不幸的是，因为安全组可以使用多个EC2实例，他们没有清理，当你删除一个虚拟机。所以，如果你删除的虚拟机上的启动向导1与创建，它不会删除安全组。

Unfortunately, since a security group can be used by multiple EC2 instances, they are not cleaned up when you delete a VM. So if you deleted the VM that launch-wizard-1 was created with, it does not delete the security group.

走上了默认安全组的VPC。当您创建VPC，默认的安全组一起使用它创建。当EC2实例射入VPC子网，他们将不得不如果另一个未指定分配给它们的默认安全组。 （<一href="http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#DefaultSecurityGroup" rel="nofollow">http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#DefaultSecurityGroup).

Onto the "default security group for VPC". When you create your VPC, a default security group is created alongside with it. When EC2 instances are launched into a VPC subnet, they will have the default security group assigned to them if another is not specified. (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#DefaultSecurityGroup).

那么，这是否意味着规则允许其与自身？默认情况下，所有入站流量通过安全组拒绝。这种聊到自己入站规则表明，如果两个虚拟机都具有这个规则分配给他们，他们将被允许相互对所有端口进行通信。如果你使用这个默认的组？号创建行使最小权限的规则（只打开你需要给需要它们的实例使用的端口）的唯一安全组。

So what does that rule mean that allows it to talk to itself? By default, all inbound traffic is denied by a security group. This 'talk to itself' inbound rule indicates that if two VMs both have this rule assigned to them, they will be allowed to communicate with one another on all ports. Should you use this default group? No. Create unique security groups that exercise the rule of least privilege (only open the ports you need to the instances that need them).

不幸的是，我没有太多的弹性魔豆的经验，所以这就是我的回答变成假设。在小，我已经打了魔豆，我记得在您的帐户创建的辅助资源。这看起来是与您的弹性负载均衡（ELB）的情况。正如描述表明，当弹性魔豆需要推出新的负载均衡器，负载均衡器将使用默认的组，除非你指定另一个。我认为，这个链接文件，你将如何做到这一点（的http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.managing.elb.html).

Unfortunately, I do not have much elastic beanstalk experience, so this is where my answer turns to assumptions. In the little that I have played with beanstalk, I recall that it created auxiliary resources in your account. This appears to the be the case with your Elastic Load Balancer (ELB). As the description indicates, when Elastic Beanstalk needs to launch a new load balancer, the load balancer will use this default group unless you specify another. I believe that this link documents how you would do this (http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.managing.elb.html).

在任何情况下，我建议不要使用默认的安全组有利于个人防火墙的规则独有的实例的安全需求。

In all cases, I would recommend against using the default security groups in favor of individual firewall rules unique to that instance's security needs.

您可以更改或删除这些？

Can you change or delete these?

• 的的启动向导1 的：是的，你可以删除或修改该组。既然你提到他是未使用的，继续和核武器炸他。
• 的默认的：VPC是挑剔一些，它创建默认的资源。我测试了我的账户，我无法将其删除。你当然可以修改它，但我建议，而不是只是不使用它。
• 的 default_elb 的：如果我记得正确的，弹性的豆茎使用cloudformation创造额外的资源，如ELB安全组。您可以修改此安全组，但它会创建cloudformation定义和现实之间的不一致。为了您的具体问题，您可以更改IP地址允许的范围内，但如果你正在写的私有IP规则，你将无法跨越的环境，如果环境被分别部署到的VPC。

• launch-wizard-1: Yes, you can delete or modify this group. Since you mentioned he is unused, go ahead and nuke him.
• default: VPC is finicky about some of the default resources that it creates. I tested it on my account and I cannot delete it. You can of course modify it, but I'd recommend instead just not using it.
• default_elb: If I remember properly, elastic beanstalk uses cloudformation to create additional resources, such as an ELB security group. You can modify this security group, but it will create inconsistencies between the cloudformation definition and reality. For your specific question, you can change the range of allowable IPs, but if you're writing rules on a private IP you won't be able to cross environments if the environments are deployed to separate VPCs.

这篇关于什么是当我设置了AWS EB首次创建的默认安全组？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！