Multiple EC2 security groups - permissive or restrictive?

Solution 1:

Permissive.

According to AWS here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules

If there is more than one rule for a specific port, we apply the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1 and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22.

Solution 2:

If an instance has multiple security groups, it has the sum of all rules in the various groups.

For example, lets say I have a class of instances that will only ever talk to other instances in the same account. I also have a class of instances that will only accept traffic via http (port 80).

This is a perfect situation for AWS Virtual Private Cloud. Put the internal instances in private subnets, and the public-facing instances in public subnets.


Solution 3:

Here's the response from AWS documentation support. They said they would update the documentation:

I found a couple of discussion forum posts that address similar issues with conflicting rules within one or more security groups:

https://forums.aws.amazon.com/thread.jspa?messageID=221768

https://forums.aws.amazon.com/thread.jspa?messageID=349244&#349244

When multiple security groups are applied to an instance, the rules are aggregated to create one large set of rules. In EC2, security group rules are only permissive, in other words, you cannot add any DENY rules. What this means is that the most permissive rule will always apply. For example, if you have a security group that allows access to port 22 from IP address 10.10.10.10, and another security group that allows access to port 22 from everyone, everyone will have access to port 22 on the instance.