Do we need both security groups and server-side firewall in AWS EC2?

EC2 security groups looks awesome, but i am quite new to AWS system, that's why i am asking this question. Do i also need to setup server firewall while having AWS security group? My main point is that in AWS system, do other account can access my server? Because if all the AWS accounts are inside of security groups, then internal hacking is possible??? E.g. my server is www.abc.com, and other person has server account(www.hello.com), so hellow.com server can access my server through ports which is filtered by security group???


Solution 1:

AWS security groups is like a firewall for EC2 instance, and AFAIK (and tested) 2 machines within the same VPC cannot see ports in their internal network unless you change your security groups policy.

e.g.

EC2 www.abc.com with private IP 10.10.10.5/24 EC2 www.hello.com with private IP 10.10.10.6/24

They are in the same network, although, they cannot see their port 22 unless you add an Inbound rule in their security group for Network 10.10.10.0/24 (or hosts 10.10.10.5, 10.10.10.6).

Please consider this, security groups policies are applied to EC2 not to VPCs:

When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security group

Regarding your question, do I need a firewall (e.g. IPTables) in my EC2 instance apart from my security groups? The answer depends on how much time do you want to spend configuring security and what you need, having both is more secure and they can complement each other, IPTables (or any other firewall) allows you to log posible atacks and even you can add dynamic rules, however, if what you are looking for is just block some ports, I'd only go with security groups configuration... You should check on this