Overview: Users will be logging into windows EC2 instance directly from their source ip and the source ip tends to change often.
Current State: We have provided IAM users access to modify/create/delete security groups.
Need: Users have an option to add wide open security group rules, which expose unnecessary vulnerabilities.
Is there a way to restrict users adding wide open inbound access(0.0.0.0) to security group rules/restrict them to add only their source ip to the inbound access rule of the security group?
My initial Findings: I checked the IAM docs, I didn't find any way to achieve this. Is there any better workaround to achieve this rather than getting alert/notification after they have added a wide open security group rule?
Unfortunately you've combined two separate things: who can configure security groups (which is managed by IAM permissions), and how security groups are configured (which is up to EC2). You can't do what you've asked for in IAM alone.
This example on the AWS blog shows how you can use Systems Manager to remediate security groups automatically. It's possible that AWS Firewall Manager can help too, but I haven't used it myself.
Related
My requirement is :
For a given AWS account,automate to open a port xyz for all the VPCs of that account for a cidr x.x.x.x/x.Later we would like to apply the same for all the other aws accounts from aws organizations.
My approach is using boto3 api....Get the list of all the VPCs of given account,get it's attached SGs and NACLs and attach the required rule.
Or other solution is as per documentation given for aws network firewall.
I am here to know if there are any better ideas of implementing this.
Thankyou!
It is not possible to "open a port for VPCs".
Each resource attached to an Amazon VPC is associated with Security Group(s). You would need to add an Inbound rule to a Security Group to permit access to a resource.
I would highly recommend against blindly opening a particular port for all resources. It is much more secure to only open access to specific resources that require that access.
Echoing #jarmod's advice, in general you should not modify NACL rules unless you have a very specific reason to do so (eg for creating a DMZ). Security Groups provide adequate access control for the majority of situations.
My current setup on EC2 Management Console involves:
multiple security groups representing various resources on AWS
multiple inbound rules within a security group representing people's public IP addresses that are whitelisted to access the resource
Currently, when a person's public IP address changes because of ISP issues, I have to manually go into EC2MC and change the inbound rule associated with that person to allow them access. There are multiple inbound rules within a security group and multiple security groups that this person is whitelisted for. Rather than changing, for instance, 9 rules manually, I'm wondering if there's a way to launch a script that prompts for the security group name, person's name, and new IP address so that this substitution occurs automatically?
Example layout of security groups
Example layout of inbound rules within a security group
Any advice is appreciated!
This is a pretty straightforward script to write. AWS has an CLI/API for authorize-security-group-ingress and revoke-security-group-ingress. You could do this a Bash script or any language with an AWS SDK. The revocation would be easier if you know their previous IP address, otherwise you may need to make a describe-security-groups call to determine it based on descriptions.
Below are links to the relevant CLI docs:
https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html
https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html
https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html
You can automate this task using bash or python script. You will just have to run the AWS SDK commands for adding/updating the inbound rules on particular security group.
e.g. For updating public IP of one of your existing SSH user:
aws ec2 modify-security-group-rules --group-id sg-xxxxxxxxxx --security-group-rules "SecurityGroupRuleId=sgr-xxxxxxxxxxx,SecurityGroupRule={Description=User1,IpProtocol=TCP,FromPort=22,ToPort=22,CidrIpv4=101.10.0.0/32}"
For this, you first need to know your security group id & security group rule id which you are going to update. Then you can replace them dynamically into above command.
I need to restrict some workspaces internet access to approved IPs. The easiest (according to my understanding) would be to modify the d-xxxxxxxxxx_workspacesMembers security group Outbound rules. To test I just removed all Outbound rules (meaning no outbound access), but it seems like the workspace won't start up.
The short question is, where can I find a list of outbound access requirements so that I can whitelist them? All I can find are client internet requirements: https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html
The longer question is what is the best way to restrict outbound access? I'm not opposed to something like a squid proxy, but our requirements aren't that complex, a simple IP whitelist would be fine.
From my point of view, the right approach would be to use a Firewall Appliance or the AWS Network Firewall (or maybe a endpoint protection) to control the traffic.
From: Security Groups for Your WorkSpaces
Do not modify or delete the _controllers and the _workspacesMembers security groups. If you modify or delete these security groups, your WorkSpaces won't function correctly, and you won't be able to recreate these groups and add them back.
Alternatively also windows firewall rules rolled out via GPO should work, but not the best approach from my point of view.
I want to delete a security group, sg-d578d9ab, in my AWS account.
I got the following message when trying to delete it.
These security groups are associated with one or more network
interfaces. Delete the network interfaces, or associate them with
different security groups. View your network interfaces.
In order to solve the problem, I opened the Network Interfaces page to see which network interface is using sg-d578d9ab.
It turns out there's 1 network interface that's using the security group.
Then I use Change Security Groups option to dissociate the security group from the network interface.
Then I got a message saying
You do not have permission to access the specified resource.
Why can't I change the security group of the network interface?
My AWS account has AdministratorAccess permission.
The Attachment owner and Owner ID properties of the network interface are amazon-rds. This seems to be the reason I can't change its security group.
Does this mean that the network interface is created when someone else sets up an AWS RDS?
The security group, sg-d578d9ab, is used by one of my RDS instances.
After dissociating the RDS instance and the security group. I'm able to delete the security group.
Saw the same error, but from a VPC endpoint. After dissociating the VPC endpoint from the security group, I was able to delete the security group.
Just googling about the differences between security group and access key in aws. But unable to find the profound details. Could anyone explain it.
A security group is a set of rules for inbound and outbound communication. An access key is a credential for authenticating a user, just like a username + password combination is a set of credentials for authenticating a user.
Security groups are rules to allow traffic to instances. This can be considered similar to iptables in linux.
Access keys are credentials that you can use to manage AWS activity from command line or code.