 | Feedback |  |
This section provides two examples of how to use the Amazon EC2 firewall.
![[Note]](images/note.png) | Note |
|---|---|
These examples use the command line tools. You can achieve the same results using the SOAP API. |
This example shows Albert modifying the default group to meet his security needs.
Albert launches a copy of his favorite public AMI:
$ ec2-run-instances ami-eca54085
INSTANCE i-cfd732a6 ami-eca54085 pending 0 m1.small 2007-07-11T16:40:44+0000After a little wait for image launch to complete. Albert, who is a cautious type, checks the access rules of the default group:
$ ec2-describe-group default
GROUP 598916040194 default default group
PERMISSION default ALLOWS all FROM USER 598916040194 GRPNAME defaultAlbert notices that it only accepts ingress network connections from other members of the default group for all protocols and ports.
Albert, being paranoid as well as cautious, port scans his instance:
$ nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST
All 100 scanned ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com (216.182.228.116) are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 31.008 secondsAlbert decides he should be able to SSH into his instance, but only from his own machine:
$ ec2-authorize default -P tcp -p 22 -s 192.168.1.130/32
GROUP default
PERMISSION default ALLOWS tcp 22 22 FROM CIDR 192.168.1.130/32Albert repeats the port scan:
$ nmap -P0 -p1-100 domU-12-31-33-00-01-56.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:43 SAST
Interesting ports on domU-12-31-33-00-01-56.usma1.compute.amazonaws.com (216.182.228.116):
(The 99 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
Nmap finished: 1 IP address (1 host up) scanned in 32.705 secondsAlbert is happy (or at least less paranoid).
Mary wishes to deploy her public, fault tolerant, three-tier web service in Amazon EC2. Her grand plan is to have her web tier start off executing in seven instances of ami-fba54092, her application tier executing in twenty instances of ami-e3a5408a, and her multi-master database in two instances of ami-f1a54098. She's concerned about the security of her subscriber database, so she wants to restrict network access to her middle and back tier machines. When the traffic to her site increases over the holiday shopping period, she adds additional instances to her web and application tiers to handle the extra load.
First, Mary creates a group for her Apache web server instances and allows HTTP access to the world.
$ec2-add-group apache -d "Mary's Apache group" GROUP apache Mary's Apache group$ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group$ec2-authorize apache -P tcp -p 80 -s 0.0.0.0/0 GROUP apache PERMISSION apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0$ec2-describe-group apache GROUP 598916040194 apache Mary's Apache group PERMISSION 598916040194 apache ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0
Mary launches seven instances of her web server AMI as members
of the apache group:
$ec2run ami-fba54092 -n 7 -g apache INSTANCE i-cfd732a6 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 INSTANCE i-cfd732a7 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 INSTANCE i-cfd732a8 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 INSTANCE i-cfd732a9 ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 INSTANCE i-cfd732aa ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 INSTANCE i-cfd732ab ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000 INSTANCE i-cfd732ac ami-fba54092 pending 0 m1.small 2007-07-11T16:40:44+0000$ec2din i-cfd732a6 RESERVATION r-0592776c 598916040194 INSTANCE i-cfd732a6 ami-fba54092 domU-12-31-33-00-04-16.usma1.compute.amazonaws.com running 0 m1.small 2007-07-11T16:40:44+0000
Being as paranoid as Albert, Mary does a port scan to confirm the permissions she just configured:
$ nmap -P0 -p1-100 domU-12-31-33-00-04-16.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 16:21 SAST
Interesting ports on domU-12-31-33-00-04-16.usma1.compute.amazonaws.com (216.182.231.20):
(The 99 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 33.409 secondsMary verifies her web server can be reached:
$ telnet domU-12-31-33-00-04-16.usma1.compute.amazonaws.com 80
Trying 216.182.231.20...
Connected to domU-12-31-33-00-04-16.usma1.compute.amazonaws.com (216.182.231.20).
Escape character is '^]'.Mary can reach her web server.
Mary creates a separate group for her application server:
$ ec2-add-group appserver -d "Mary's app server"
GROUP appserver Mary's app server
Mary starts twenty instances as members of appserver group:
$ ec2run ami-e3a5408a -n 20 -g appserver
Mary grants network access between her web server group and the application server group:
$ ec2-authorize appserver -o apache -u 495219933132
GROUP appserver
PERMISSION appserver ALLOWS all FROM USER 495219933132 GRPNAME apacheMary verifies access to her app server is restricted by port scanning one of the application servers:
$ nmap -P0 -p1-100 domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-07 15:42 SAST
All 100 scanned ports on domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com (216.182.228.12) are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 31.008 secondsMary confirms that her web servers have access to her application servers:
She (temporarily) grants SSH access from her workstation to the web server group:
$ ec2-authorize apache -P tcp -p 22 -s 192.168.1.130/32She logs in to one of her web servers and connects to an application server on TCP port 8080:
$ telnet domU-12-31-33-00-03-D1.usma1.compute.amazonaws.com 8080
Trying 216.182.228.12...
Connected to domU-12-31-33-00-03-D1 .usma1.compute.amazonaws.com (216.182.228.12).
Escape character is '^]'Satisfied with the setup, she revokes SSH access to the web server group:
$ ec2-revoke apache -P tcp -p 22 -s 192.168.1.130/32Mary repeats these steps to create the database server group and to grant access between the application server and database server groups.
