Use one AWS security group for home IP access to AWS instances
I need to access our company AWS instances from home.
All access is managed by AWS security groups, and I need to change my home IP there every time my provider changes it.
My idea to simplify this routine was to create one security group with all inbound and outbound traffic allowed for my ip, and use this group to grant access permissions to all my instances' security groups.
I tried it with no success.
Can anybody shed some light on this issue?
Thank you!
Solution 1:
It's usually easiest to pay for a static IP. You can use a static IP but it means changing it regularly.
Add your static or dynamic IP to a new security group. Assign that security group to all resources you want to log into. Security groups are additive.
Your question isn't really very clear on what you've done so I can't say what's wrong.
You have replied in comments
I meant that I want to create a group "MyGroup" with rules that allow all traffic in and out, and add this group into all other groups I have in AWS - for examlple, if I want to allow RDP from my IP to the server in "FirstGroup", I just create an inbound rule in FirstGroup, that allows RDP from MyGroup. I hope I made the thing clearer.
A security group is basically a firewall around a single ENI (elastic network interface). It's not a subnet, it's not a proxy, it's pretty simple. Also, AWS networking is not transitive, traffic doesn't hop around like you might want it to.
Your plan will not work unless you have a bastion host / server running in your "MyGroup" security group. If you want a separate security group with your home IP in it (which is what I do in my personal AWS account) you have to make sure every instance has that security group associated with it. Putting a rule in that allows ingress from / egress to that group does not achieve what you're trying to do.
Allowing security groups to reference other security groups is really useful for some things. I often use them as tiers like subnets used to be used in on-premise networks. I'd have a SG for the load balancer, the app server, and the DB server, all allowing appropriate ingress / egress from other SGs and the LB allowing ingress from the internet.