While the setup of security groups is a pretty straightforward practice, I have difficulty applying using the right template when focusing on application security and managing connections between my EC2 instance, Load Balancer and RDS.
My fear is that I'm aware that certain applications should not have public access and should only be accessed by the applications that utilize them, but unsure of the best method to achieve that linking.
Should the Load Balancer be the source of the security group configurations and then the attached EC2 instance just reference the Load Balancer setup? Should RDS link to the EC2 security group or Load Balancer? Any guidance on what I should think about in terms of design and my current setup will be extremely helpful!
Load Balancer:
Type | Protocol | Port Range | Source
HTTP | TCP | 80 | *Public*
SSH | TCP | 22 | *Private IP*
HTTPS | TCP | 443 | *Public*
EC2 Instance:
Type | Protocol | Port Range | Source
HTTP | TCP | 80 | *Load Balancer Security Group*
SSH | TCP | 22 | *Load Balancer Security Group*
HTTPS | TCP | 443 | *Load Balancer Security Group*
RDS:
Type | Protocol | Port Range | Source
All TCP | TCP | 0 - 65535 | *EC2 Instance Security Group*
PostgreSQL | TCP | 5432 | *Public*
PostgreSQL | TCP | 5432 | *Public (IPv6)*
SSH | TCP | 22 | *Private IP*
You can remove SSH and All from your RDS security group since they will never be used. The RDS sec group should specify the EC2 sec group that requires connectivity. This means you should also remove the publicly accessible references.
Should the ELB be accessible from the Internet? If so you are good to go except you should remove the SSH rule from the ELB since it will never be used (you can't ssh to an ELB and ELBs don't load balance ssh connections).
The EC2 sec group should have rules allowing ELB access. In other words, rules defining the ELB sec group ID should be added for port 80 and 443 which is basically what you have.
Remove (or alter) the EC2 sec group rule allowing SSH access from the ELB since ELBs don't support load balancing ssh connections. Ideally it should be locked down to your management location (your office).
So basically something like the following:
ELB
Type | Protocol | Port Range | Source
HTTP | TCP | 80 | *Public*
HTTPS | TCP | 443 | *Public*
EC2
Type | Protocol | Port Range | Source
HTTP | TCP | 80 | *Load Balancer Security Group*
HTTPS | TCP | 443 | *Load Balancer Security Group*
SSH | TCP | 22 | *Your office IP address (best practices)*
RDS
Type | Protocol | Port Range | Source
PostgreSQL | TCP | 5432 | *EC2 Instance Security Group*
Finally, for ELBs you can terminate SSL connections at the ELB which will then forward connections to your EC2 backend instances over port 80. This enables you to manage your SSL certificates in one place (ELB). You shouldn't do this in situations that require extremely strict compliance since it would leave a gap in encryption between ELB -> EC2. But you really don't need to worry about this unless you're dealing with PCI or HIPAA compliance.
Then your EC2 sec group would look something like the following:
EC2
Type | Protocol | Port Range | Source
HTTP | TCP | 80 | *Load Balancer Security Group*
SSH | TCP | 22 | *Your office IP address (best practices)*