How do I create hierarchical AWS Security Groups?
I want to create a 2-level security group heirarchy in AWS.
- Location Groups - groups of IP addresses specific to different locations (e.g. "office", "home", "customer 1", etc.). Each of these base groups grants each IP access to All Traffic (ports 0-65535)
- Environment Groups - I then am trying to add these base Location Groups to my higher-level Environment Groups (e.g. "test", "prod", "reporting db", etc.). I will use Environment groups for my different instances in EC2. So a server "uat_01" for example will reference the "test" environment group, which will in turn grant access to "office", for example.
Here's my inbound rule setup for security group sg-f2d8.... (office)
I'm adding the base groups using port ranges for access to HTTP (or HTTPS, or MySQL, etc., based on need), and referencing the base group using "Custom" configuration with the group identifier, e.g. "sg-f2d8...."
In the Security Groups panel, everything looks ok, but I can't get access from the selected IPs.
Please help! I've been told EC2 Security Groups can reference base groups this way, but I can't seem to figure it out!
Thanks!
When you put a security group as the source of an inbound rule (or destination for an outbound rule) you are referencing the resources associated with that group (i.e. the ec2 instances that you create that belong to said group) not really allowing the traffic that the group would allow (this is kind of a common misconception on aws-security groups). There is also no transitivity between security groups by referencing them this way.
Now in order to achieve what you want to achieve, the only workaround i can think about is creating groups of the style home-test, office-test, home-prod and putting in each one the source ip that you would see fit. At the end of the day these would be just "1-level" security groups.
The formal answer would be that no, you cannot create hierarchical aws sec groups.