DEV Community: Isah Bashir Ibrahim

Security Group Creation in AWS

Isah Bashir Ibrahim — Fri, 31 Jan 2025 20:34:37 +0000

This document outlines the steps for creating a security group in the Amazon Virtual Private Cloud (VPC) dashboard. You can find an article discussing the full significance of Security Groups here.

Access the AWS Management Console
Log in to the AWS Management Console using your valid AWS credentials.
Navigate to the VPC Service
In the AWS Management Console, locate and select the VPC service.
Access Security Groups
In the VPC navigation panel, select Security Groups.
Create a Security Group
Click the Create Security Group button.
Provide a name for your security group
Name: Provide a descriptive name for your security group (e.g., "Web Server SG").
Description: Enter a brief description of the security group's purpose.
VPC: Select the VPC to which this security group will be associated.

Configure Inbound Rules
Click Add Rule to define inbound traffic rules.
Type: Select the type of traffic (e.g., All traffic, TCP, UDP, ICMP, IP Permissions).
Protocol: Specify the protocol (e.g., TCP, UDP, ICMP).
Port Range: Define the port range for the traffic (e.g., 80 for HTTP, 443 for HTTPS).
Source: Determine the source of the traffic:
0.0.0.0/0: Allow traffic from anywhere.
Specific IP addresses/CIDR blocks: Allow traffic from specific IP addresses or IP ranges.
Security Groups: Allow traffic from other security groups within the same VPC.
**Click Add Rule to add more inbound rules as needed.
Configure Outbound Rules (Optional)
Click Add Rule to define outbound traffic rules.
Type: Select the type of traffic (e.g., All traffic, TCP, UDP, ICMP, IP Permissions).
Protocol: Specify the protocol (e.g., TCP, UDP, ICMP).
Port Range: Define the port range for the traffic (e.g., all ports).
Destination: Determine the destination of the traffic:
0.0.0.0/0: Allow traffic to anywhere.
Specific IP addresses/CIDR blocks: Allow traffic to specific IP addresses or IP ranges.
Security Groups: Allow traffic to other security groups within the same VPC.
**Click Add Rule to add more outbound rules as needed.

AWS Security Groups provides network-level firewalls for instances.

Isah Bashir Ibrahim — Sun, 19 Jan 2025 12:44:24 +0000

1. Introduction

AWS Security Groups function as virtual firewalls within a Virtual Private Cloud (VPC) at the instance level. They serve as an important layer of defence, managing network traffic flow to and from your EC2 instances.

2. Key Characteristics

Security groups are stateless. Inbound rules simply restrict incoming traffic and do not automatically permit corresponding outbound traffic. For example, if you allow inbound SSH traffic (port 22), you must specifically allow outward traffic on port 22 to support interactive sessions.
Instance-level: Security Groups are linked to specific EC2 instances. An instance can have numerous security groups connected, allowing for more flexible and layered security configurations.
Rule-Based: Security Groups operate according to rules that specify:
Protocol: (such as TCP, UDP, or ICMP)
Port Range (e.g., 22 for SSH, 80 for HTTP).
Source/Destination: (for example, IP addresses, IP ranges, security groups, or 0.0.0.0/0 for all sources and destinations).

3. Common Use Cases

Restricting SSH Access: To prevent unauthorised access, allow SSH communication from only particular IP addresses or security groups.
Enabling Web Server Access: Allow HTTP and HTTPS traffic from the internet via ports 80 and 443.
Internal Communication: Enable communication between instances inside a certain VPC or subnet.
Database Access: Limit database access by only permitting traffic from authorised applications or services.

4. Best Practices

Apply the principle of least privilege by granting only the essential permissions. Avoid too liberal rules, which may expose your instances to needless danger.
Apply Security Group Ingress Rules only occasionally. Carefully assess each inbound rule and only allow necessary traffic.
Use Security Group Egress Rules: Create outbound rules to manage traffic leaving your instances, particularly for services that connect externally.
Review and Update: Review your security group rules regularly and update them as appropriate to reflect changes in your application's requirements and security posture.
Avoid Default Security Groups: The default security group frequently grants extensive permissions. Create specific security groups for each instance and avoid using the default wherever possible.

5. Common Misconfigurations

Overly Permissive Rules: Allowing unnecessary traffic from 0.0.0.0/0 (all sources) might greatly broaden the attack vector.
incorrect Port Numbers: Typos or erroneous port numbers might result in unauthorised access or denial of service.
Missing Outbound Rules: Failing to create outbound rules for apps that require outgoing connections can cause problems.

Installing and setting up AWS CLI on macOS

Isah Bashir Ibrahim — Sat, 28 Dec 2024 11:39:37 +0000

Introduction

The AWS Command Line Interface (AWS CLI) is a uniform platform for managing your AWS resources. With just one tool to download and configure, you can control and automate various AWS services from the command line using scripts.

Prerequisite

AWS account
IAM user with programmatic access

Installing AWS CLI

Run this command to install AWS CLI on your local machine.

curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg”

sudo installer -pkg AWSCLIV2.pkg -target /

Verification

To verify that the shell can find and run the AWS command in your $PATH, use the following commands.

which aws

You will get the output: /usr/local/bin/aws

Setup locally

Run this command to quickly set and view your credentials, Region, and output format. The following example shows sample values.

aws configure

Note: Make sure to download your account credentials and input them after running this command.

This output will look like this if you successfully configure the CLI.

AWS Access Key ID [None]: ***AIO***DN**7EX****

AWS Secret Access Key [None]: w***rXU***MI/****G/**MP***Y

Default region name [None]: us-****-2

Default output format [None]: json

Infrastructure provisioning with AWS CloudFormation

Isah Bashir Ibrahim — Sat, 17 Feb 2024 22:54:27 +0000

Introduction

Provisioning of infrastructure can be a tedious task when carried out on the AWS console, it has a lot of limitations when it comes to tasks like creating same infrastructure when a mistake was made, recreating the same infrastructure for another project or case of not following the exact same steps needed for the infrastructure creation on the console.
Situations like this and more are the reasons why infrastructure as code (IaC) was created, to give developers the ability to write out code for their infrastructure which can be used multiple times.

In this article, we would be looking at AWS very own infrastructure as code (IaC) tool called "CloudFormation", which is written in YAML language and creating a network infrastructure which consist of a Virtual Private Network (VPN), Subnet, Internet gateway, Elastic IP, NetGateway, Routing table.

The code used for this Demo can be found here.

Creating a CloudFormation stack

To create a CloudFormation stack, the following AWS command will be passed into the terminal.

create-stack: Desired stack name.
template-body: Name of the YAML file containing the IaC.
parameters: Key value pairs that can be used as parameter in the YAML file.
region: Desired region in which the infrastructure will be created.

aws cloudformation create-stack \
  --stack-name AppDeploy \
  --template-body file://network.yml \
  --parameters ParameterKey=EnvironmentName,ParameterValue=AppDeploy \
  --region=us-east-1

When it is successful, the following output will be displayed on the terminal, showing the stack ID.

On your CloudFormation dashboard in AWS console, it will display the name given to the stack and a status of CREATE_IN_PROGRESS.

Click the name of the stack, and check under the "resources" section to see the list of the resources indicated in the template that are being created.

After successful creation of the resources, you can visit the VPC dashboard to view the just created VPC.

We were able to look at how to use CloudFormation for infrastructure provisioning by creating a group of networking resources which was deployed as a stack on the CloudFormation dashboard.

Optimizing Content Delivery: Unleashing the Power of Amazon CloudFront

Isah Bashir Ibrahim — Sat, 28 Oct 2023 16:59:16 +0000

Introduction

In an increasingly digital and interconnected world, delivering content swiftly and seamlessly to global audiences is vital for businesses across the world. CloudFront has revolutionized the way organizations distribute their digital content, enabling faster load times, improved user experiences, and enhanced scalability. In this article, we delve into the transformative power of CloudFront, exploring its features, benefits, and how to set it up.

What is CloudFront?

CloudFront is a globally distributed CDN that accelerates the delivery of static, dynamic, and streaming content to end users. Leveraging the power of AWS’s extensive global infrastructure, CloudFront ensures low latency and high-performance content delivery to users worldwide. It acts as a mediator between the origin server (where the content is stored) and the end user, minimizing the distance and network hops between them, resulting in faster loading times and reduced bandwidth costs.

Key Features and Benefits

Global Reach: With numerous edge locations strategically placed across major cities worldwide, CloudFront ensures content is delivered from the nearest edge location to end-users, reducing latency and enabling faster content retrieval.
High Performance: CloudFront utilizes advanced caching techniques, including edge caching and dynamic content acceleration, to optimize the delivery of both static and dynamic content. By caching frequently accessed content at edge locations, CloudFront minimizes the load on origin servers and improves response times.
Scalability: CloudFront is designed to handle high traffic volumes and sudden spikes in demand. It dynamically scales resources based on traffic patterns, ensuring content delivery remains fast and reliable even during traffic surges.
Security: CloudFront provides several security features to protect content and end-users. It supports HTTPS encryption by default, securing data in transit.
Flexibility: CloudFront offers flexible content delivery options, allowing businesses to deliver content in various formats, including web pages, APIs, videos, and software downloads. It supports streaming media delivery for both on-demand and live-streaming scenarios, enabling efficient video distribution across different devices.

Additionally, it integrates with AWS Web Application Firewall (WAF) and AWS Shield for advanced protection against DDoS attacks and other web vulnerabilities.

Setting up CloudFront

Search for Cloudfront on the search bar and navigate to the page.

After navigating to the CloudFront dashboard, an option to create a CloudFront distribution would be displayed if it's your first time creating one or a list of previously created Cloudfront distributions would be displayed.

Click the Create a CloudFront distribution and a new page will appear. On the "Origin domain" you have to input a domain name or an AWS resource that you can point the Cloudfront to, like S3 bucket, API gateway, Loadbalancer etc. In this example, I'm using an S3 bucket that is hosting a static webpage.

While using Cloudfront, you have the option to enable a web application firewall which protects your site from DDoS and security vulnerabilities.

Under the setting, you can select the collection of regions closest to you for a better distribution or select the "Use all edge location" which is the best for performance. After this section, go ahead and click the Create button to create the CloudFront distribution.

After a few seconds, the dashboard of the CloudFront distribution just created will appear and notice the Distribution domain name which is the new domain that would be used as a CDN.

Copy the Distribution domain name into your web browser and notice the appended ".cloudfront.net" which shows that your site is distributed by CloudFront.

In conclusion, Amazon CloudFront is a frequently employed service for expediting the delivery of web applications, video streaming, and various online content to a worldwide audience, all while guaranteeing minimal delay and robust accessibility. It plays a pivotal part in enhancing efficiency, safeguarding assets, and enhancing the capacity for web services and applications.