AWS Security Groups and Cloud Security Group Objects

Relationship between AWS Security Groups and Cloud Security Group Objects

A security group in the Amazon Web Services (AWS) console is a collection of rules that act as a virtual firewall for the instances and other entities contained in the security group. A security group can be associated with other security groups, ports, port ranges, IPV4 or IPV6 addresses, subnets, and load balancers.

When you onboard an AWS VPC to Security Cloud Control, AWS security groups are translated into Security Cloud Control cloud security group objects. The AWS console does not support rules that contain more than one source, destination, or port/port range. If you define more than one source, destination, or port/port range within a single rule in Security Cloud Control and deploy, Security Cloud Control translates the rule into separate rules before deploying it to the AWS VPC. For example, if you create an outbound rule in Security Cloud Control that allows traffic from one security group, "A" to another security group "B" and an IPv6 address, Security Cloud Control deploys this to AWS as two separate rules: (1) to allow outbound traffic from security group object A to security group object B and (2) to allow outbound traffic from security group object A to the IPv6 address.

Note that security groups are associated with individual AWS VPCs and cannot be shared across device types. That means that you cannot share a cloud security group object with an ASA, FTD, IOS, SSH, or Meraki device.

Managing Cloud Security Group Objects

You can associate a cloud security group object with different rules in the same VPC. For example, for two cloud security group objects A and B in the same VPC, you can write a rule in cloud security group object A that allows external traffic to cloud security group object B and a corresponding rule in cloud security group object B that allows incoming traffic from cloud security group object A.

You cannot create or delete a cloud security group object from Security Cloud Control. You must create or delete the security group using the AWS console.

If you make changes to a cloud security group object or any firewall rules in the AWS console, Security Cloud Control displays the device status as Conflict Detected. See Out-of-Band Changes on Devices and Resolve Configuration Conflicts for more information about how to resolve the conflict.