AWS Security Groups vs Windows Firewall

Solution 1:

I always do both. It's a matter of who you trust more, Amazon, or yourself.

Perhaps one day the AWS security groups may be broken, disabled, circumvented. In that (unlikely) case, I have a second barrier I can rely on.

And if I accidentally leave something open on one, the other one will still block it. It's a bit like double opt-in, or two-factor authentication.

As far as administering a double set of firewall rules goes, for me it's worth it. It's not that many rules. If you have lots, then you should ask yourself whether that one instance is doing too much anyway, which adds a variety of possible points of failure and complexity.

If you do chose to only set up one, I would do the one you have full control of, the one on your instance.

Solution 2:

Disabling one or the other is not best practice for long term network security. Best security practice is to maintain both a host-resident firewall and an AWS security group on your instance always. This practice is based on the security concept called Defense in Depth. It is a very sound way to build security redundancy in your network.

If you are using a VPC, there is another security layer to consider: Network Access Control List (ACL). A network ACL acts as a firewall for controlling traffic in and out of a subnet.

A useful technique when implementing your initial security architecture on AWS, is to rely only on security groups and/or a host-resident firewall during the design and test phase, to simplify management. As the implementation matures you can add ACL rules as another layer to further protect your network.


Solution 3:

I don't know if it's a "best practice" from the community, but Amazon recommends doing it.

"We recommend that you disable Windows Firewall and control access to your instance using security group rules." (Source)