I have an EC2 instance with a security group that only allows RDP. It is the only rule of the security group.
If I do the following...
- Start an RDP session to the EC2 instance.
- Remove the RDP rule from the security group, leaving the security group without any ingress rule.
...the existing RDP session continues to work fine indefinitely even when there are no Ingress rules in the attached security group.
My expectation was that the RDP session was severed as soon as the change in the security group was deployed.
Why is that happening? I first thought that the reason was because the egress rule of the security group was a 0.0.0.0/0, but I also tried changing the egress IP to 1.2.3.4/32 (i.e. a random IP) and the existing RDP session still survives.
So to summarize, it seems that when I remove the RDP rule only new connections are blocked but existing connections continue to work fine.
CodePudding user response:
It sounds like RDP sessions continue to run on the host even when a client stops communicating with it. This can be useful because things keep happening if a client drops-out.
It looks like you can configure a timeout for idle RDP sessions using Session Time Limits | Microsoft Docs in Group Policy settings:
Policy settings in this node control time limits for Remote Desktop Services sessions on a Remote Desktop Session Host server.
CodePudding user response:
Because a security group is a stateful firewall. The traffic initiated with inbound request is not limited by outbound rules. I suspect the rule is inspected once in the beginning of the transmission and then response traffic is allowed without extra rule checking.
Access control lists are stateless. I did not test but I expect that removing rule from ACL would cut the response traffic immediately. In order to work, stateless firewalls must check the inbound and outbound rules for every packet.