Optimizing definition of inbound rules for security groups in AWS

In: AWS

11 Apr 2021

Introduction

In an ideal world, we should always avoid having unnecessary network ports left open by using well defined security group (or at least minimise their numbers). However, there could be cases where this can be quite a difficult task to accomplish and we need to compromise between the number of inbound rules vs the number of ports left open. Some applications may use thousands of ports and the ops team may have limited documentation on what ports are used and should be accessible. We also have to consider certain limits regarding security groups (e.g. default limit of 60 inbound rules per security group). 

One strategy to better help understand what ports are being used by a certain workload is to leverage VPC Flow Logs. It is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. You can create a flow log for a VPC, a subnet, or a network interface.

VPC Flow Logs Analyzer is an open source tool written in Python that will analyze your vpc flow logs and suggest a set of optimized port ranges and individual ports that will cover all the source ports used for a specific ENI (Network interface) – this can serve as a base to create the inbound rules of your security groups. It has two different implementations. The first leverages Amazon Athena, which is an interactive query services that makes it to analyze data in Amazon S3 using standard SQL. The second implementation uses Amazon CloudWatch Logs, which can centralize logs from your different systems and AWS services.

Let’s see it in action

Let’s assume that the vpc flow logs have returned the following source port used by a specific ENI :

80
81
82
85
86
1001
1002
1020

Running the tool with maxInboundRules of 3 and maxOpenPorts of 3 (maximum number of open ports left within a single range or inbound rule), it would give the following result :

ranges : 
 - from 80 to 86
 - from 1001 to 1002
 
individual ports : 
 - 1020
 
extra/unused ports (ports that are open and shouldnt) :
 - 83, 84

In the previous example, we end up with two ranges and one individual port. There are 2 ports that would be open and shouldn’t (ports 83 and 84). This is a compromise that we may decide to accept if we want to only have a maximum of 3 inbound rules defined in the security group.

If we decide to run the optimizer with maxInboundRules = 10 and maxOpenPorts of 3, we would get the following result :

ranges : 
 - from 80 to 82
 - from 85 to 86
 - from 1001 to 1002
 
individual ports : 
 - 1020
 
extra/unused ports (ports that are open and shouldnt) :
 - (none)

In this case, the optimizer is suggesting three ranges and one individual port. This means a total of four inbound rules (which respects our constraints of being below 10 rules). There is no extra port left open.

Couldnt find a combination - you may want to consider increasing 
the values for maxInboundRules and/or maxOpenPorts

If we decide to run the optimizer with maxInboundRules = 1 and maxOpenPorts of 3, we would get the following result :

The optimizer has no magic power (yet) and is simply unable to come up with a solution with those constraints.

If we decide to run the optimizer with maxInboundRules = 1 and maxOpenPorts of 1000, we would get the following result :

ranges : 
 - from 80 to 1020
 
individual ports : 
 - (none)
 
extra/unused ports (ports that are open and shouldnt) :
 - 83, 84, 87, 88, 89, 90, ..., ..., 999, 1000, ..., ..., 1018, 1019

In this example, the optimizer is giving one single range (as requested). However, there will be 933 ports left open that shouldn’t (which is below the value of maxOpenPorts of 1000).

Links

Source code and documentation can be found here : https://github.com/alfallouji/AWS-SAMPLES/tree/master/vpc-flowlogs-analyzer

Be Sociable, Share!

Comment Form

Who am I?

My name is Bashar Al-Fallouji, I work as a Enterprise Solutions Architect at Amazon Web Services.

I am particularly interested in Cloud Computing, Web applications, Open Source Development, Software Engineering, Information Architecture, Unit Testing, XP/Agile development.

On this blog, you will find mostly technical articles and thoughts around PHP, OOP, OOD, Unit Testing, etc. I am also sharing a few open source tools and scripts.

  • Trinzia: Well done, my friend! [...]
  • vivek raj: Hello Bashar, It's really good that you wrote this code. but I'm confused some part. can you suppor [...]
  • irfan: I saw watch your youtube talk on clean and testable code. By the way very good talk. I was wondering [...]
  • Mohamed: Hello bashar, I hope you are doing well. Thank you for your hard work, and thank you for sharing [...]
  • alex davila: Hi Bashar is there any pick up example?? Regards Alex Davila [...]