英文:
Can AWS security groups protect EC2 from being attacked by other instances inside AWS?
问题
AWS安全组可以保护EC2免受来自AWS外部的攻击。那么来自AWS网络内的其他实例呢?
它们可以保护EC2免受来自AWS内部其他实例的攻击吗?
例如,EC2-1中的端口8080是开放的。
英文:
AWS security groups can protect EC2 from outside AWS. how about from other instances inside AWS network?
Can they protect EC2 from being attacked by other instances inside AWS?
------------------------
| AWS |
| EC2-1 EC2-2 | ------ outside
------------------------
For example, port 8080 is open in EC2-1.
答案1
得分: 0
默认情况下,包括Amazon EC2实例在内的资源之间无法相互通信。(尽管管理控制台提供了一些标准的安全组,允许此类通信,但您可以选择接受它。)
如果您希望允许资源的入站通信或出站通信,您必须配置安全组。
安全组有两组规则:
- 入站规则,通信是从资源的外部发起的
- 出站规则,通信是从资源发起,针对资源的外部目标
请注意,这些规则适用于资源的任何流量,而不仅仅是与互联网的通信。
如果两个Amazon EC2实例位于同一VPC中,它们只能在以下情况下相互通信:
- 允许流量的出站规则,以及
- 允许流量的入站规则
例如,如果Instance-A想要与Instance-B通信,则:
- Instance-A需要一个允许流量发送到Instance-A的出站规则,和
- Instance-B需要一个允许来自Instance-A的流量被Instance-B接收的入站规则
有些人认为如果多个实例位于**“相同的安全组”中,它们就可以相互通信。然而,这是不正确的。资源不在安全组中。相反,每个安全组都独立适用于每个实例。如果两个实例被分配了“相同的”安全组,则只有在安全组允许出站连接到自身并允许入站**连接到自身的情况下,它们才能相互通信。
回答您的问题**“它们是否可以保护EC2免受AWS内部其他实例的攻击?”,答案是是**。这正是它们所做的。它们不仅防止**“被攻击”,而且实际上会阻止所有流量**,除非明确允许,无论该流量是否是**“攻击”**。
英文:
By default, resources including Amazon EC2 instances cannot communicate with each other. (Although, the management console will offer some standard security groups that do permit this communication, but it is your choice to accept it.)
If you want to permit inbound communication to/from resources, you must configure Security Groups.
Security Groups have two sets of rules:
- Inbound rules, where communications are initiated from outside of the resource, and
- Outbound rules, where communication is initiated from the resource to something outside of the resource
Note that these rules apply to any traffic in/out of the resource, not just traffic to/from the Internet.
If two Amazon EC2 instances are in the same VPC, they can only communicate with each other if there are:
- Outbound rules that permit the traffic, and
- Inbound rules that permit the traffic
For example, if Instance-A wants to communicate with Instance-B, then:
- Instance-A requires an Outbound rule that permits traffic to go to Instance-A, and
- Instance-B requires an Inbound rule that permits traffic from Instance-A to be received by Instance-B
Some people think that if multiple instances are "in the same Security Group" then they can communicate with each other. However, this is not true. Resources are not "in" security groups. Rather, each Security Group applies to each instance individually. If two instances have been assigned the same security group, then they can only communicate if the security group permits outbound connections to itself and also permits inbound connections to itself.
To answer your question "Can they protect EC2 from being attacked by other instances inside AWS?", the answer is YES. That is exactly what they do. They go further than preventing "being attacked". They actually block all traffic unless it is specifically allowed, whether or not that traffic is an 'attack'.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论