Use one AWS security group for home IP access to AWS instances

amazon-web-services

I need to access our company AWS instances from home.
All access is managed by AWS security groups, and I need to change my home IP there every time my provider changes it.
My idea to simplify this routine was to create one security group with all inbound and outbound traffic allowed for my ip, and use this group to grant access permissions to all my instances' security groups.

I tried it with no success.
Can anybody shed some light on this issue?
Thank you!


Solution 1:

It's usually easiest to pay for a static IP. You can use a static IP but it means changing it regularly.

Add your static or dynamic IP to a new security group. Assign that security group to all resources you want to log into. Security groups are additive.

Your question isn't really very clear on what you've done so I can't say what's wrong.

You have replied in comments

I meant that I want to create a group "MyGroup" with rules that allow all traffic in and out, and add this group into all other groups I have in AWS - for examlple, if I want to allow RDP from my IP to the server in "FirstGroup", I just create an inbound rule in FirstGroup, that allows RDP from MyGroup. I hope I made the thing clearer.

A security group is basically a firewall around a single ENI (elastic network interface). It's not a subnet, it's not a proxy, it's pretty simple. Also, AWS networking is not transitive, traffic doesn't hop around like you might want it to.

Your plan will not work unless you have a bastion host / server running in your "MyGroup" security group. If you want a separate security group with your home IP in it (which is what I do in my personal AWS account) you have to make sure every instance has that security group associated with it. Putting a rule in that allows ingress from / egress to that group does not achieve what you're trying to do.

Allowing security groups to reference other security groups is really useful for some things. I often use them as tiers like subnets used to be used in on-premise networks. I'd have a SG for the load balancer, the app server, and the DB server, all allowing appropriate ingress / egress from other SGs and the LB allowing ingress from the internet.

Related

Mobile redirect in nginx with query string
proxy.pac file performance optimization
How to find out UID of Active Directory user?
Will VMware vSphere 5.5 work on a Dell Poweredge R300?
How to fix partition table after virt-resize rearranges it (KVM)?
Install grub on mounted kvm image?
crontab: using ${USER}
Temporary failure in name resolution for local socket
How to delete all namespaces except the kube-system in K3s cluster
How to view if partitions primary or secondary in Linux
Memcached error: SERVER HAS FAILED AND IS DISABLED UNTIL TIMED RETRY
SELinux Issue - git status fatal: Out of memory? mmap failed: Permission denied