I'm trying to find a way to determine Cloudfront Origin Shield IP ranges and was wondering if by any chance it could be "CLOUDFRONT_ORIGIN_FACING" service from https://ip-ranges.amazonaws.com/ip-ranges.json ?
There are quite a few overlapping ranges from different services, its hard to just test this.
Yes, while there is no official confirmation in the documentation, I can't think of any other service with the above service code.
CLOUDFRONT_ORIGIN_FACING can only be referring to Amazon CloudFront Origin Shield.
Overlaps are fine, AWS can & will reuse IPs for various services.
Related
I am trying to find out if it is correct to say that - In AWS we can only perform vulnerability scanning for EC2 instances.
From my research, it seems like there can be pen tests on other AWS services, but vulnerability scanning seems to be focused on EC2? (https://aws.amazon.com/security/penetration-testing/). If so, would it be safe to assume that vulnerabilities scans can be only focused on EC2 instances, but also periodic pen tests on the AWS services listed in the link above?
Any help is appreciated.
You are correct in seeking out pentesting which goes beyond EC2. However, the type of testing (if any) is highly dependent on which specific services you use.
It's very common that pentests do not cover all services only because they are improperly scoped. Not all AWS services will be relevant to a penetration test, but some may be critical. Here are some worthwhile misconfigurations to consider:
S3 - Buckets have their own access controls and unique API. Without insight to bucket names and AWS expertise, a pentester cannot determine if they are misconfigured. It is fairly common for buckets to allow access to AllUsers which is very dangerous.
RDS - You should make sure that databases are not publicly accessible from the internet (for obvious reasons).
Cognito, SNS, SQS - If you are pentesting an application, you will need to take a close look at the permission and configuration of authentication and messaging services (if they are in use). Misconfigurations here can allow someone to self-enroll in applications they shouldn't.
It would be worthwhile to spend some time to evaluate each service and get an understanding of it's attack surface. Here's an AWS pentesting guide for reference.
Let's say I have an imaginary website: https://myimaginarywebsite.com.
If I try to exploit it, and I make massive concurrent GET requests (source is just one ip), would WAF have a feature to prevent this?
Since this is technically valid traffic but abnormal pattern, I'm curious how AWS WAF handles this.
Is there an already built-in WAF feature we can just add to prevent this, or Do we have still have to tune this in WAF?
Yes, WAF can handle HTTP floods with rate based rules.
The AWS Security Automations quick start found here, and associated docs found here, provide a great template starting point and example of some of the features you can configure in AWS WAF.
I am new in the AWS Cloud services.
I assigned a project to prepare a new environment in the cloud, to which my team will later migrate their applications. The Stakeholders have come up with some Technical and Business requirements:
They are concerned about the security of the environment, so they have decided to virtually isolate their network from the rest of the customers and rest of the environments in the same AWS Cloud Account
Which AWS Cloud service I could try to use to implement this requirement?
Please let me know if I need to provide more details.
Thank you in advance.
First of all, I would question why the Stakeholders would assign someone with very little AWS experience the task of creating a secure network from scratch in it, and then reveal they are concerned about how secure it will be. (Nothing personal against you, just seems like a strange approach)
Secondly, this is a deep topic, with multiple answers depending upon the specifics of your Technical and Business requirements...
From what I can gather, at a high level you're trying to implement a multi-VPC setup in a single AWS Account.
In short, there are too many scenarios to go into for a StackOverflow answer. The best advice I could give would be to seek advice from an AWS networking/security architect (or consultant) if that is an option for you. They should be able to review your requirements in detail and formulate an appropriate solution.
I'll give you an idea of the sorts of services/resources you should be looking to read up on if you want to implement a secure multi-VPC network in AWS:
VPC peering connections or Transit Gateway to handle routing between VPCs
NACLs to control layer 3 traffic into and out of your VPCs
Security Groups to control layer 3 & 4 traffic into and out of the instances in your VPCs
We have a bare metal IBM server running a SQL Server database. We also have a wide variety of AWS services (EC2, lambda, API Gateway) in different accounts/regions that need access to the database. Is there any possible way to white list AWS IPs across services without VPC? Obviously you can find the AWS IP ranges, but there are 100s of them, so maintaining the list would be a nightmare. Is there any way to simplify this?
The comments to my question above indicate the real answer to me question, which is simply, "no". They do provide meaningful alternatives, so I am going to consider this question closed.
I am new here and have tried searching but could not get any answers.
I have set up Bit Torrent Sync on an EC2 micro instance with EBS attached.
The server is in Sydney which is where I spend most of my time.
However I do travel a fair bit and would like to have more locations where the files are located.
Is there a way to do this without setting up another EC2 server? I was thinking CloudFront may be helpful here but I do not know how to set it up.
Any other ideas?
Thanks in advance.
Well there's a couple of ways you can do this:
You can setup S3 with Cloudfront. Basically, you copy your static files to an S3 bucket (Global works good) and then say from the AWS console you can go to CloudFront and create a distribution for that specific bucket.
Point the the CloudFront distribution to the web server where you are hosting your files (Assuming you are using HTTP or HTTPs)
You can also specify a custom CNAME Record that you can use on your domain to point to the CloudFront distribution.
Furthermore for improved performance you can use: All Edge Locations when creating your CloudFront distribution.
Hope this helps.