PROJECT 6-3: CONFIGURE SECURITY IN AWS Est. completion time: 1 hour NOTE Public cloud platforms and related account options change frequently. While the instructions given here were accurate at the time of writing, you might need to adjust the steps or options according to later changes. Recall that in Project 1-3, you surveyed available AWS account options and had the opportunity to create an AWS account. In this project, youll explore NACLs and security groups in AWS. Complete the following steps: In your AWS Management Console, go to the VPC dashboard. In the navigation pane, scroll down and click Network ACLs in the Security category. You should have at least one NACL listed here as a default. Select that NACL, and then click the Inbound Rules tab for that NACL. Two rules should be listed here, one that allows all traffic and one that denies all traffic. Considering that these rules seem to accomplish exactly opposite purposes, what net effect do you think these rules have on traffic into this VPC? Why do you think this is? This is the facility of using NACL. It supports rules of allowing and denying nature. AWS checks with all security groups if a certain rule should be set to allow traffic. The default setting of the rule is not to allow any inbound traffic. Inbound rules have control over traffic entering the system. Click the Outbound Rules tab and notice that it shows two similar rules with similar configurations. Click the Subnet associations tab. How many subnets are listed here? The net effect would be improved security. This is because of the nature of NACL rules. These are evaluated in incremental order starting from the small numbered rule. If rule and traffic match, the rule will be applied even if the high-numbered rule is not matching it. Based on the match, the traffic is either allowed or denied. In the navigation pane, click Security Groups. Unless youve been deleting security groups along the way, you should have a few groups listed here. First check a default security group, and examine the inbound and outbound rules. Notice that there is no setting for Allow or Deny. Any traffic referenced by a rule is allowed. Traffic not referenced by a rule is not allowed. What traffic is allowed in this security group? The net effect would be improved security. This is because of the nature of NACL rules. These are evaluated in incremental order starting from the small numbered rule. If rule and traffic match, the rule will be applied even if the high-numbered rule is not matching it. Click a security group created by a launch wizard. Launch-wizard security groups are created when you spin up a new VM. Youve probably deleted the relevant VMs, but the security groups are still present unless youve been deleting these along the way. The traffic that is allowed in a launch-wizard security group is determined by the permission settings you configured on that VM, such as allowing SSH or RDP for remoting in to the VM. What inbound traffic is allowed for this launch-wizard security group? Based on this information, what OS do you think that VM had or has (if it still exists)? Based on the match, the traffic is either allowed or denied. Create a new VPC, a subnet within that VPC, and a VM instance in that subnet. Check the following details as you create the VM: On the Step 3: Configure Instance Details page, make sure to associate the VM with your new VPC, not your accounts default VPC. On the Step 6: Configure Security Group page, choose to select an existing security group instead of creating a new security group. You should be offered the default security group for your new VPC. While the VM is initializing, return to the VPC dashboard and check the rules created by default for your new VPCs NACL and security group. It might be helpful to write down the first few digits of the VPC ID in order to identify the correct NACL and security group. What traffic is currently allowed to this VPC and its instance? In your AWS Management Console, go to the VPC In the navigation pane, scroll down and click Network ACLs in the Security category. You should have at least one NACL listed here as a default. Select that NACL, and then click the Inbound Rules tab for that NACL. Two rules should be listed here, one that allows all traffic and one that denies all traffic. Considering that these rules seem to accomplish exactly opposite purposes, what net effect do you think these rules have on traffic into this VPC? Why do you think this is? Practice creating a higher-priority NACL rule that would specifically allow inbound RDP or SSH traffic, depending on the OS you chose for your VM. Make sure you choose the NACL assigned to the VPC you created earlier in this project. On the NACLs Inbound Rules tab, click Edit inbound rules. Notice the priority for the existing rule, and then click Add Rule. Choose a higher priority rating for your new ruleremember that higher priorities use lower numbers. What priority did you choose? Under Type, choose Custom Protocol Rule. Under Protocol, scroll through the list. What are two protocols that you recognize in this list? Select TCP (6). Under Port Range, enter the port number for the protocol you need. What is the port for SSH? What is the port for RDP? Save your new rule. Practice creating a new security group that only allows inbound RDP or SSH traffic, depending on the OS you chose for your VM. On the Security Groups page, click Create security group. Give the security group a name, such as MySG-1, and a description, such as RDP traffic only or SSH traffic only. Assign the security group to the VPC you created in this project. On the Inbound Rules tab for this new security group, click Edit rules, and then click Add Rule. Under Type, select Custom TCP Rule. Enter the port number for SSH or RDP, depending on the OS you used for your VM. Under Source, select My IP. What happens? Give the rule a description that would help you identify its purpose in a long list of security rules. This is good practice for later when youll be managing many NACL and security rules, and you wont necessarily remember why you created any specific rule. What description did you give the rule? Click Save rules and click Close. Return to the EC2 dashboard, and check the detailed description of your instance, which should be running by now. What is the instances private IP address? Does the instance have a public IP address? Thinking back to what youve learned over the past few modules, why do you think this is? Change the instances security group to the one you just created. To do this, click Actions, point to Networking, and click Change Security Groups. What security group is currently assigned to the VM? Select the new security group. Are you able to assign both security groups to this one VM? Scroll through the navigation pane for the EC2 Dashboard. Of the security resources you used in this project, which one can you manage from the EC2 Dashboard? Delete all of the resources you created in this projectincluding the VPC, subnet, VM, the VPCs default NACL, and both security groups. In what order did you delete these resources? What error messages did you encounter? How did you handle these problems? Check through your account to confirm that all related resources have been deleted.