Cloud Compliance and Security

Mistake #9: Failing to Proper Configure Security Groups

Amazon’s approach to security is based on “shared responsibility” between users and AWS – Security Groups is one of the tools Amazon provides for users to fulfill their part. One would expect that when it comes to security, users don’t err.

Unnecessary Security Groups Ports are open on DB Server

We have noticed that at least one unnecessary port is open on your DB server, meaning that your DB server is potentially vulnerable. Typically this issue occurs when using the same security groups to secure DB and non-DB servers. We suggest setting security groups specifically for the DB server and limiting access to recommended DB-related ports only.

IP Ports are open to all Internal AWS Servers

We have found that you have at least one of your security groups’ IP ports open to all internal AWS servers. This can potentially make some of your servers vulnerable. This issue can occur if one of your security groups was configured to allow access to the following IP range -  

We suggest limiting access of internal AWS servers to these open ports in one of the following ways:

  • IP Address: Limit access to a specific IP address of an instance that is yours (e.g.
  • Security Group: Limit access to a certain security group (i.e. use another security group’s rules to limit access (e.g. sg-3c02c053).  

Open IP ports

Newvem monitors your security groups’ ports, and notifies you if it finds that at least one of them is currently open to all IP addresses. An open IP port may mean that some servers are exposed to access from any IP address worldwide, making them vulnerable. We suggest that you reduce the number of open ports to a minimum, limiting access from the outside world only to web-facing services. For example, port 80 for HTTP and port 443 for HTTPS.

AMI Objects are Publicly Accessible

It can be risky to publicly share Amazon Machine Images (AMIs), as they may contain sensitive data that you do not want to be publicly accessible.

There are two options:

  • Shared inadvertently: If the AMIs have been shared inadvertently, their access policy can be changed to private.
  • Shared intentionally: If the AMIs have been intentionally shared, sensitive data should be removed from them.

Critical IP Ports are Open: Identification, View and Set Security Groups Rules


Our identification of the issue is based on the following data:

  • One or more security groups were configured to allow access through critical IP ports.
  • One or more of your AWS instances are using the security group with the open critical IP ports.
Newvem Group Security Assessment 

The following is a list of critical IP ports:

Port # Subject
5432 Postgres
3306 MySql
3362 MySql
1433 Sql Server
389 LDAP
9160 Cassandra
27170 MongoDB
5672 AMQP
11211 Memcached
Viewing a Security Group’s Rules
  •  AWS Management Console
    1. Log in to the AWS Management Console and click the Amazon EC2 tab.
    2. In the Navigation pane, click Security Groups. The security groups belonging to the account are displayed.
    3. Select the security group whose rules you want to see. The security group’s information is displayed in the lower pane in the Details tab; its rules are displayed in the Inbound tab.
  • Using AWS CLI Command Line Tools - 

 Type the command:

PROMPT>  ec2-describe-group [group ...]

Amazon EC2 returns output in the format of the following example.

GROUP   sg-251s6f45     999988887777    WebServers   web

PERMISSION      999988887777    WebServers ALLOWS  tcp     80      80      FROM    CIDR       ingress

Tip: To filter the list to return only the security group with the open ports, use the ip-permission.from-port and filters.

Note: These are a short explanations based on our detailed how-to guide - How to Add a Rule to an AWS Security Group

Adding a Rule to a Security Group

AWS Management Console

To add a rule to a security group -

  1.  In the AWS Management Console, select a specific EC2 security group, by following the instructions in the above procedure (Viewing a security group’s rules). The selected security group’s rules appear in the lower pane, in the Inbound tab.
  2. In the Inbound tab, in Create a new rule, select the type of rule to create.
  3. In Port range, specify a port or port range. In this case of open critical IP ports, we suggest that you reduce the number of open ports to a minimum, limiting access from the outside world only to web-facing services (e.g. port 80 for HTTP and port 443 for HTTPS).
  4. In Source, specify one of the following:
    • The name or ID of the security group that is allowed access. If the group is in someone else’s AWS account, type the AWS account ID that contains the security group, followed by “/”, followed by the security group name. For example:  978644442091/SecurityGroupA.
    • The IP address or range of addresses in CIDR notation that is allowed access. For example, 123.2.432.3 to limit access to one computer at that IP address; 123.2.432.3/24 to limit access to a network at that range of IP addresses. You can enter to allow all IP addresses to access the specified port range.

5. Click Add Rule. An asterisk appears on the Inbound tab, and the Apply Rule Changes button becomes enabled.

6. Click Apply Rule Changes. The new rule is created and can be viewed in the right pane of the Inbound tab. The new rule is applied to all instances belonging to the selected security group.

Note: These are a short explanations based on our detailed how-to guide - How to Add a Rule to an AWS Security Group

[Drill down to specific cost, risk, and asset insights directly from you iPhone/iPad to make decisions and take immediate action. Use It For Free!]

Keywords: critical IP ports, amazon aws security groups, AWS management console, security group rule, amazon ec2, aws instances,

The Challenges of an Effective Cloud

Clouds move fast, and change fast.  The advantage is having elastic, fast, and un-planned deployments. However, uncontrolled usage leads very quickly into footprint sprawl – cloud sprawl, overspend and unpredictable behavior.  Contrary to VM sprawl, where the virtualization environment provides natural containment, cloud sprawl can be rather chaotic and expensive – exactly for the same reasons we enumerated above: lack of visibility and control, unpredictability, new processes, and different practices.

Cloud Security: Basics

Cloud providers consolidate access to many consumers’ data, or should we say victims’ data into a single point of (hacking) entry. Recently,  the major popular clouds have increasingly become the focus of attacks by hackers. IT organizations may think that their legal liability can be outsourced, but total misconception. The contract with the IaaS vendors includes security obligations, however it does not negat the liability of the software vendor as the responsible party. So rather than focusing on contracts and limiting liability in cloud services deals, the SaaS vendor must focus on controls and audit-ability.

Availability: Story of The Inevitable Outage of the Cloud

Traditionally delivering high availability often meant replicating everything. However, today with the option of going to the cloud we can say that providing two of everything is costly. High availability should be planned and achieved at several different levels: including the software, the data center and the geographic redundancy.

Hitchhiker's Guide to The Cloud

Newvem's eBook for Cloud Operations