Security Management Guide
Security Management Guide for AWS Users
In this session we will try to show you a few things that you can do immediately to help achieve maximum security in your AWS environment.
When starting off using AWS, users tend to stick to the single Default security group.
The best practice is to maintain separate security groups for each application tier.
For example, in a three-tier environment, covering web, application and database servers, you want to restrict network access to your middle and back tier machines.
How to build security groups (SG) based on application tiers?
- Assign an SG to your web server tier, allowing access mostly on ports 80 (HTTP) and 443 (HTTPS). (See our how-to guide on to add new rules to your SG.)
- Assign a different SG to your application tier, allowing access only from the web server SG name to the very specific application ports. In this guide you will learn how to create SG in AWS.
- Do the same for your database tier, and allow access only from the application tier by specifying the application tier SG name to the database server ports 3306 (MySQL), for example.
How to allow SSH and RDP access?
- The most secure approach is to allow access on port 22 (SSH) to all groups but only from your corporate network.
- If you need to provide access to developers working from home, add a specific rule allowing access from their IP address.
Dos and Don’ts
- Don’t allow internal access from all AWS addresses – 10.0.0.0/8 – that will expose your servers to all AWS servers.
- Avoid exposing non-web server tiers to all IP addresses.
- Limit the number and range of open ports.
- Avoid mixing database servers with web servers in the same security group.
How To Guides
Read this Case Study from one of our users who is securing his environment to the maximum.