Security Groups

figure20

Review the security group configuration in your lab

  1. Refer to the collected output values from your CloudFormation stack. Note the value of the “InterfaceSecurityGroupURL” output. This is the URL to review the security group associated with your interface endpoint. Also note the values of the “SecurityGroupForReportsEngine” and “SecurityGroupForSalesApp” outputs.
  2. Paste the InterfaceSecurityGroupURL value in your browser and select the security group in the top pane.
  3. Click on the Inbound tab in the lower pane to see inbound security group rules. The development team have restricted access to the CIRD range 10.0.0.0/8.

figure21

  1. Further restrict the inbound rules. Update the existing inbound security group rule by clicking the Edit button in the lower pane. Remove the existing rule (10.0.0.0/8). Create two new inbound rules with the following attributes (updating the sg- values with the outputs from your Cloudformation stack):
Type Protocol Port Range Source Description
All TCP TCP 0-65535 Custom sg-XXXX Inbound from SecurityGroupForSalesApp
All TCP TCP 0-65535 Custom sg-YYYY Inbound from SecurityGroupForReportsEngine

secgrps2

Save your changes to further constrain network access to the interface endpoint and the SQS queue it provides access to.

secgrps3

For additional information regarding security group rule updates refer to the AWS documentation: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules