After searching previous questions here, the general consensus seems to be if an instance that I own is assigned a private IP of 10.208.34.55, that only OTHER INSTANCES I OWN can reach it at that address. See:
How to encrypt traffic between two Amazon EC2 instances?
Is that correct? So I can treat all my instances as if they are on a LAN and authenticate and trust any machine coming from 10.XXX.XXX.XXX because I am sure I own it?
I just want to be sure. I'm finding that amazon seems to be rather more interested in waxing poetic about The Cloud and their 3-character abbreviations than actual providing clear technical documentation.
Amazon EC2 provides security groups which your instance is a part of, then this allows you to grant permissions to other groups of hosts on your account or other external hosts. See the [User Guide][1] -> Concepts -> Network security for a little overview.
Normally in the "default" security group you have full access to other members in the group (i.e. all of your other default hosts) and no external inbound access. Other hosts inside EC2 that are on other accounts, or on your account but not in the "default group will not be able to access your instance.
You can add rules for a security group to grant access to other security groups, or add rules to grant access to IP addresses/ranges.
To answer your question a bit more directly: so long as your security group rules only allow access from the same group, then your instances should be firewalled from access by any other customer, even though they share the same IP space.
[1]: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/ EC2 User Guide
Gareth - I assume both groups have the SSH port open, thus succesful SSH from one account to the other does not indicate your conclusion. The idea is simple - within a security group - all ports are open - outside access - is per your definition - and for that matter, another group in Amazon is just the same as external access.
The answer is a resounding NO - I have multiple EC2 accounts, and just tried logging into one of my instances on account A from another instance on account B. I was able to SSH from B to A with no problems (other than needing the SSH key for account A).
You should assume that anybody on your 10.0.0.0/8 can access your instances, regradless of what EC2 account they are using.