I have a node.js app running on AWS Elastic Beanstalk. I have setup a domain pointing to a CDN distribution which is pointing to the EBS. But the web app is also accessible via the ELB URL directly. I want to block public access to the EBS URL. how can I achieve that?
Create a custom security group that allows only the IP address of the CDN. Create an .ebextensions file that will configure the environment to use your custom security group.
See: https://aws.amazon.com/premiumsupport/knowledge-center/security-group-elastic-beanstalk/
Your CDN provider should publish their public IP address, for example here is Cloudflare: https://www.cloudflare.com/ips/
Related
I am running a Spring Boot Application (as a RESTful Webservice) dockerized in an EC2 Instance. If I start the container, everything is working fine, but only with HTTP. e.g. http://ec2-54-93-55.eu-central...com
I already tried setting up the Security Groups of my EC2 Instance, where I enabled HTTPS, but it still does not work.
Now I want to add a SSL Certificate to my Instance with the AWS Certificate Manager. The problem is now, that I need a hosted domain for this and I can not use the Domain of my EC2 Instance.
I tried setting it up as api.mydomain.com and it is verified now. How can I now connect my EC2 Instance with this domain?
I tried creating an Alias in Route 53 by routing api.mydomain.com to the EC2 public DNS. But this did not work too.
You will not be able to attach an ACM public certificate to your EC2 instance as they are required to be attached to either one of these resources:
CloudFront
Elastic Load Balancer.
Once these are configured you will need to update the DNS record on your hosting provider to target the CNAME of whichever of these resources they use.
If you were using Route 53 as your hosting provider you would add your record to the public hosted zone for that domain, however this process is slightly different for each DNS provider.
I use Google Places API, and I need to put a restriction on my API keys, more specifically an IP restriction because the calls are from a web server.
I am using AWS Elastic Beanstalk with an environment where I have a Load Balancer, Autoscaling, and a VPC. So the IP address changes every time a new EC2 server is created.
My question is :
How do I put a static IP (Elastic ?) on my environment?
I have found many similar posts like this one (https://stackoverflow.com/a/49200693/3954420) or this one (https://medium.com/#obezuk/how-to-use-elastic-beanstalk-with-an-ip-whitelisted-api-69a6f8b5f844) where I have to create a NAT Gateway.
But it requires at the end to type a target IP address, and unfortunately, Google API servers IPs are not static.
How can I use NAT Gateway or is there another way ?
Thanks
I have currently got an Elastic Beanstalk web app within a VPC which I'd like to put behind a WAF. In order to do this I've added CloudFront with the WAF looking at that. For security I've enabled access to the Elastic Beanstalk app only from the AWS CloudFront IP addresses, which I have done using security groups (auto updating when these IP addresses change).
However, what is to stop someone else adding my EB app web address to their own CloudFront instance, would this bypass my IP address limitations on the VPC security group and give them access without going through my WAF?
I think what might help here is to add some secret custom header in your CloudFront distribution (http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html), and make your origin check for the presence of the header. This will ensure that only your distribution can get data from your origin server.
AWS has come up with a new service AWS Certificate Manager. One thing I got from the description is that if we are using this service we don't have to pay for the certificate anymore.
They are providing certificates for Elastic Load Balancer (ELB) and CloudFront, but I didn't find EC2 anywhere.
Is there any way to use the certificate with EC2?
Q: Can I use certificates on Amazon EC2 instances or on my own servers?
No. At this time, certificates provided by ACM can only be used with specific AWS services.
Q: With which AWS services can I use certificates provided by ACM?
You can use ACM with the following AWS services:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• Amazon API Gateway
https://aws.amazon.com/certificate-manager/faqs/
You can't install the certificates created by Amazon Certificate Manager (ACM) on resources you have direct low-level access to, like EC2 or servers outside of AWS, because you aren't provided with access to the private keys. These certs can only be deployed on resources managed by the AWS infrastructure -- ELB and CloudFront -- because the AWS infrastructure holds the only copies of the private keys for the certificates that it generates, and maintains them under tight security with auditable internal access controls.
You'd have to have your EC2 machines listening behind CloudFront or ELB (or both, cascaded, would also work) in order to use these certs for content coming from EC2... because you can't install these certs directly on EC2 machines.
No, you cannot use aws certificate manager for deploying certs on EC2. The certificate manager certs can only be deployed against cloudfront and elastic load balancer. Inoredr to use it on ec2, you need to put elb on top of ec2, so that request from client to load balancer will be https protected and from elb to ec2 webserver will be on http.
If you are using AWS ACM Cert for internal purpose only then you could probably use AWS ACM Private CA to issue the certs.(I think you can use it for public/external traffic purpose as well if your root CA is publicly trusted CA).
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaGetStarted.html
During Application/EC2/Container startup, set a step to export your ACM Private CA issued Cert/Private Key to your destination and start referring that for serving the traffic.
https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html
One good thing is, you can control who can call export cert feature using IAM Role so not everyone can download private key of the cert.
One downside with this is, private CA is expensive AWS service($400/month).
https://aws.amazon.com/certificate-manager/pricing/
Adding to the comments above, you can't use the AWS Certificate Manager for this, but you can add a Let's Encrypt certificate to ec2 on a Windows server running IIS and it's pretty easy:
Associate an elastic ip with your ec2 instance.
Make sure you have a registered domain. You can't use ec2----------.us-east-1.compute.amazonaws.com type names that come with your instance.
Through your domain provider's DNS settings have your domain point to your Elastic IP.
Connect to your ec2 instance and add your domain name to the site bindings.
Go to https://github.com/PKISharp/win-acme/releases
Look under assets, and use the latest version (win-acme.v2.0.10.444.zip for example). This is the only assets folder that you need.
Unzip the folder, open the terminal as administrator, and cd into the unzipped folder.
Run wacs.exe and follow the prompts.
Make sure the security group assigned to your instance allows traffic (at the very least your own IP) through the HTTPS port you chose in IIS; this is port 443 by default.
I found the links below helpful when I was figuring this out. Here is a video using an earlier release if you need more help, but it's the same idea.
https://www.youtube.com/watch?v=fq5OUOjumuM
Also this article might be helpful:
https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows
I have a root domain like example.com. It's now hosted on Amazon S3. For that I followed this tutorial:
http://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html
What would I have to do to have a subdomain like client.example.com to point to a EC2 instance?
client.example.com => ec2-XXX.us-west-2.compute.amazonaws.com
Is there like a tutorial out there explaining the steps?
Two simple steps:
You would just need to add a new 'A' record to assign the ec2 ip address to that subdomain in your amazon route 53 dns (or whatever dns provider you are using) - very simple to do. Step one will have requests for that sub-domain routed to the ec2 instance.
Step 2 is to tell the web server you are running, when it receives a requests for that sub-domaain, what website should it serve up to the user - you do this by 'binding' the name to the directory/location thast has the website on your ec2 instance.
You may also want to read over the following from AWS
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-ec2-instance.html
It would also be better practice to assign your EC2 instance an Elastic IP address then forward requests to that IP.
We recommend that you also create an Elastic IP address and associate
it with your Amazon EC2 instance. An Elastic IP address ensures that
the IP address of your Amazon EC2 instance will never change.