This is the case:
X is able to connect to instance Y on TCP port 27017 (allowed by EC2 security group)X has mongo shellY has MongoDB running, accepting connection from X on port 27017X, use mongo shell to connect to DB instance on YX, query from Y and insert to Y. All is successful.Y: remove the rule of port 27017 mentioned in #1 X can still query from/insert to DB hosted on Y. This is not expected.XExpectation is that EC2 network firewall will terminate connections that violate the rules (the security group policies).
Could you please explain how #7 above happens? And how can that be avoided (so X cannot do anything to Y at that time)?
Thank you.
Expectation is that EC2 network firewall will terminate connections that violate the rules
You're making an assumption here. That might be your expectation of how it should work, but where is that backed up in the official AWS documentation? I suggest reading the documentation instead of making assumptions about how this will work.
From the documentation:
An existing flow of traffic that is tracked may not be interrupted when you remove the security group rule that enables that flow. Instead, the flow is interrupted when it's stopped by you or the other host for at least a few minutes (or up to 5 days for established TCP connections). For UDP, this may require terminating actions on the remote side of the flow. An untracked flow of traffic is immediately interrupted if the rule that enables the flow is removed or modified. For example, if you remove a rule that allows all inbound SSH traffic (0.0.0.0/0) to the instance, then your existing SSH connections to the instance are immediately dropped.
If you want to ensure that traffic is immediately interrupted when you remove a security group rule, you can use a network ACL for your subnet — network ACLs are stateless and therefore do not automatically allow response traffic. For more information, see Network ACLs in the Amazon VPC User Guide.