Securing AWS Instances

Lately I was trying to publish a Web application to Amazon EC2 Cloud. The application had the classic approach of DB - Server Architecture. To be more specific I thought of using 2 t2.medium EC2 instances, one for Web application and the other for the db. Those instances will be used for our staging environment. 

As for the db we are using a PostgreSQL Server. We followed this approach and not use an Amazon RDS service as we wanted to host some other small applications in that specific machine instance. I would recommend however not to follow this approach in your cases. 

The Application is served from Apache2 Server in port 80 that loads content from a django site. The Application instance is associated with an Elastic Ip, so that we give it to our client.

The most important part for the EC2 instances is the security and how we are going to be safe from the outer world. Luckily, security groups come very handy!

The Application server has opened the 80 port to our clients CIDR IP and our company's IPs. We have also opened SSH Port (22) to our company's IPs.

The difficult part was how to secure our db instance. We do not want any access from the outside, only from the Application Server. To do so at first we thought creating an Inbound Rule from Elastic IP to Port 5432. However, Amazon was not happy about this choice. 

The reason as explained from Amazon Docs: 

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. For example, incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group.

Solution:
We created a new Inbound Custom Rule using the security group name of the Application Server Instance. It worked like charm! Cheers :-)