I am using a blanket rate-based rule on AWS WAP, and I need to whitelist github actions.
I can create an ip set with the github actions ip addresses mentioned on their meta page and then add a statement to the web acl rule to ignore that ip set.
Is this an efficient way to whitelist github actions as there are 2572 ip addresses?
Related
I have an Elastic Beanstalk environment which is a Node API. I also have a Angular web app outside of AWS on domain: www.example.com
How would I go about making it so only calls made from 'www.example.com' to the AWS environment(Node API can be accessed?
I am familiar with AWS security groups but it doesn't handle domain whitelisting (Only IP's). Since users will be on different IP's using www.example.com I need to whitelist by domain and not IP.
Any help would be greatly appreciated!
Without blocking via IP your only choice is to look at attaching a WAF to the ALB in your Elastic Beanstalk environment.
By doing this you can allow only traffic that matches a set of conditions, if there is a particular header that your requests include when they make requests to the backend then you can allow requests from these sources.
Assuming the request to the API is made from the frontend you should have a referrer header which contains the source of the previous page. You could whitelist this domain in the WAF.
I tried to unblock port 25 on my ec2 instance so I could send emails and I was asked to provide this:
A statement of the security measures and mechanisms you will be implementing to avoid being implicated in the sending of unwanted mail (Spam)
What does this mean, like what is an example of those security measures? I have no idea what I'm supposed to respond to with that. All I plan on doing is sending emails to verify email accounts and change passwords for user accounts on my website.
AWS actually restricts access to this port for security reasons. The suggestion is try using another port if you can (for example SES works over port 587 as well).
You can however request that this restriction is removed, to do this you will need to do the following steps:
First, create a corresponding DNS A record:
If you're using Amazon Route 53 as your DNS service, either create a new resource record set that includes an A record, or update your existing resource record set to include a new A record.
If you're using a service other than Amazon Route 53, ask your DNS provider to create an A record for you.
Then, request AWS to remove the port 25 restriction on your instance:
Sign in with your AWS account, and open the Request to Remove Email Sending Limitations form.
In the Use Case Description field, provide a description of your use case.
(Optional) Provide the AWS-owned Elastic IP addresses that you use to send outbound emails as well as any reverse DNS records that AWS needs to associate with the Elastic IP addresses. With this information, AWS can reduce the occurrences of emails sent from the
Elastic IP addresses being marked as spam.
Choose Submit.
There are two IP addresses (172.31.42.243 and 172.31.19.188) that are hitting my site in AWS (Beanstalk hosted) repeatedly with garbage requests.
I have tried to block them using ACL deny rules. If I add only one I'm still able to hit my site. If I add both then I'm not able to hit my site.
Both the deny rules are using /32 for the CIDR notation and the deny rules I added are lower numbers than the default allow all rule. What am I doing wrong?
Those aren't the IP addresses of the machines that are attacking you; those are the internal IP addresses of your ELB. That's also why you can't access your site after blocking them - no one can!
You need to look at the access logs on the ELB, not on your application server, to determine which IP address(es) are attacking you. You can configure access logging on your ELB on the "Description" tab, under "Attributes".
I have an ELB which balances some EC2 instances.
The ELB exposes the endpoints of the entire system.
Now I am creating a CloudFront distribution over this ELB.
Is there a way to allow users to connect ONLY using CloudFront endpoint and refuse direct connections to ELB?
Thanks
You would have to restrict the security group to the list of IP address ranges used by CloudFront. This is a subset of the list published here.
Unfortunately that list is subject to change, so you can't just set it once and forget it. Amazon has published a tutorial here that walks you through setting up a Lambda function that will automatically update your security group when Amazon publishes an updated IP list.
Unfortunately there is no straight forward way to do that right now.
ELB access can only be limited by IP ranges. You could try to limit the ELB to CloudFront's IP ranges, but this is rather brittle and changes frequently. If a new IP range is introduced, you may end up accidentally blocking CloudFront. I would say that this approach is not advisable, but I've seen it done when the requirement was mandatory. And it did break a few times.
You can set up a automated security group that only allows Cloudfront IP's and let a Lambda function to update it when Cloudfront IP ranges change. On my blog post, you can find a complete Cloudformation template that will set this up for you:
https://medium.com/cagataygurturk/restricting-elb-access-to-cloudfront-8b0990dea69f
If there is no record in R53 that uses your Load Balancer, and only cloudfront defines Alternate Domain Names (CNAMEs) used by your Load Balancer, then you can associate a WAF ACL with your Load Balancer that drops any request that does not match the Alternate Domain Names.
In that case, you force using the CloudFront Distribution for your Load Balancer.
AWS blogs have a solution for this scenario.
What it does is basically creating a lambda function that subscribes to a SNS topic which receives notifications for AWS IP address range changes (this topic is owned by AWS). This lambda then updates the ELB/ALB security group dynamically. Lambda code is available here.
Starting 2022 AWS finally provides a solution for this problem with managed prefix-lists.
You can create an inbound security rule and under source directly specify the prefix list, instead of manually providing IP-Addresses:
To make your server reachable only from Cloudfront Servers follow these steps:
Go to https://console.aws.amazon.com/vpc/home#ManagedPrefixLists
Choose your region (The region of your Load Balancer) and search for "com.amazonaws.global.cloudfront.origin-facing" and copy the id (e.g. "pl-a3a144ca" for europe-central-1)
Edit your security group for the Load-Balancer and add a new Entry with Type: HTTP and as source paste the prefix-list-id from step 2
Now your security group will automatically always use the current IP-Addresses from Cloudfront, now updating necessary. - A caveat: The prefix list counts as ~50 rules against the rules-limit for a security group. If you have a lot of other custom rules, you will likely have to create a second security group with the other rules if this one is full.
As of February 2022 there is a simpler solution. AWS now manages a prefix list for Cloudfront which auto updates.
For details: https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/
does anyone know how to add your cloudfront distro into the security group inbound rules for an ELB?
We have a cloudfront distro setup for a new site which has a whitelisted set of security group rules for its origin. I cant see how to configure the security group to allow requests from the cloudfront distro...
any ideas?
If you follow the link provided by Amir Mehler in the comments above, the author of the blog points to an official AWS Lambda function on Github that will update a security group with the CloudFront IPs. I used this, and it works great.
If you don't like Lambda, you could do it manually.
Note When trying to use the sample test config for the first time, update the MD5 to match the hash of the current ip-ranges.json file, or it will error.
Beginning February 2022, you should use AWS Managed Prefix List. They are a list of IPs managed by AWS, and kept up to date by them, that you can use in your route tables and security groups.
Be advised, the Amazon CloudFront managed prefix list counts as 55 rules in a security group. The default quota is 60 rules, leaving room for only 5 additional rules in a security group. You should request a quota increase for this quota. It counts as 55 routes in a route table. The default quota is 50 routes, so you must request a quota increase before you can add the prefix list to a route table.
When you say "add origin" in Cloudfront distribution and click the "Origin Domain Name" box, it lists all your AWS resources from this account (including ELB). You can just choose it.
However the security group associated with your ELB should allow public access (HTTP/HTTPS, 0.0.0.0/0). This is not any less safe, since anyway you want public to access the ELB via cloudfront. Moment you make things available via a CDN, it is for public access. I have been configuring the ELB security groups this way. Open to other suggestions !
Now for the security group of the EC2s behind the ELB: Here you should not allow public access. Instead allow only access from ELB's security group (you can achive this by selecting the ELB security group from the list, instead of keying in an Inbound IP address.
Now, this can be configured little differently if the origin is S3. Here you need not make the bucket public. Instead restrict access to the bucket using Bucket policy (not any security groups here) allowing only IAM origin access identity. More info here - Serving Private Content through CloudFront - Amazon CloudFront
I have solved it with the help of this post: Automatically update security groups for Amazon CloudFront IP ranges using AWS Lambda
It is a step-by-step tutorial, very detailed, a bit outdated already but you won't get lost.
Only drawback is that each time the Lambda function creates a new security group you will have to attach it to your EC2 instance or ELB manually. Maybe this can also be solved in an efficient way automatically, but the blog post doesn't mention it.
This is more of a question than an Answer but embedded in it is how I would do it:
Step 1: Get data from here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html -> http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
Step 2: Create Security group with data...
Question part:
Why the hell does the AWS API has a limit on the number of rules that is LESS than the number of endpoints of its services...
This is what happens when you call the API(which is how I ended up here):
HTTP: 400 ->