Skip to main content

 

 

Cisco Defense Orchestrator

AWS Security Groups and Cloud Security Group Objects

Relationship between AWS Security Groups and Cloud Security Group Objects

A security group in the Amazon Web Services (AWS) console is a collection of rules that act as a virtual firewall for the instances and other entities contained in the security group. A security group can be associated with other security groups, ports, port ranges, IPV4 or IPV6 addresses, subnets, and load balancers.  

When you onboard an AWS VPC to CDO, AWS security groups are translated into CDO cloud security group objects. The AWS console does not support rules that contain more than one source, destination, or port/port range. If you define more than one source, destination, or port/port range within a single rule in CDO and deploy, CDO translates the rule into separate rules before deploying it to the AWS VPC. For example, if you create an outbound rule in CDO that allows traffic from one security group, "A" to another security group "B" and an IPv6 address, CDO deploys this to AWS as two separate rules: (1) to allow outbound traffic from security group object A to security group object B and (2) to allow outbound traffic from security group object A to the IPv6 address. 

Note that security groups are associated with individual AWS VPCs and cannot be shared across device types. That means that you cannot share a cloud security group object with an ASA, FTD, IOS, SSH, or Meraki device. 

Managing Cloud Security Group Objects

You can associate a cloud security group object with different rules in the same VPC. For example, for two cloud security group objects A and B in the same VPC, you can write a rule in cloud security group object A that allows external traffic to cloud security group object B and a corresponding rule in cloud security group object B that allows incoming traffic from cloud security group object A. 

You cannot create or delete a cloud security group object from CDO. You must create or delete the security group using the AWS console. 

If you make changes to a cloud security group object or any firewall rules in the AWS console, CDO displays the device status as Conflict Detected. See Detecting Out-of-Band Changes and Resolve Configuration Conflicts for more information about how to resolve the conflict.

Related Articles: 

  • Was this article helpful?