How can we restrict outbound traffic from AWS VPC to the internet, for example limiting outbound traffic to certain trusted domains (URL “whitelisting”).
I was thinking on AWS WAF but it seems it filter trrafic traffic traveling to the web application not from web application.
Any thoughts, suggestions, Thanks in advance.
It seems to be that you‘re looking for a proxy solution. As I know there aren‘t any managed proxy AWS services offered yet but you can use cloudformation, terraform or similar to setup it your own way with open source solutions f.e..
There is a good blog post on AWS about exactly your issue: https://aws.amazon.com/de/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/
Maybe there is something useful for you on AWS Marketplace:
https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=Proxy
The simplest and easiest way is to implement an Aviatrix FQDN egress filter. It just serves the purpose from a centralized user interface to discover then whitelist/blacklist the URLs/FQDN in every VPC.
Proxy implementation could become complex, esp. when you have to manage it seprately in every VPC. and doesn't provide centralized control, every VPC has to be managed separately.
The easiest way is to get an Aviatrix launch partner like SDxWORx, enable it with discounted PAYG pricing.
https://aws.amazon.com/marketplace/pp/prodview-laruhupdkcpuy/
Related
I work for the platform team of my company and we have a central AWS Network Firewall in a central VPC. We provide AWS accounts for different teams and if they need internet access, we connect the VPCs of the teams with a transit gateway to our central VPC and route traffic through our central VPC and firewall into the internet.
We currently only allow to reach certain domains that we whitelist. The problem is, that if we whitelist a URL, every AWS account can reach this URL. Sometimes an aws account needs to reach just one endpoint and not every endpoint, that is whitelisted.
My question is, is it possible to use some kind of conditional rules that only apply to certain accounts/VPCs?
We use Cloudformation for IaC. Any help and examples are highly appreciated!
Cheers
I have EC2 Instance with Windows Server, i'm using it only with RDP. Can I somehow block outbound traffic from browser to specific domain (eg. abc.example.com) or URL? I'd rather do it in the AWS Dashboard so that RDP users do not have access to whitelist this domain/URL.
How can I achieve this? Thanks!
There is not a native AWS solution for this, of course you could allow only specific IP addresses. The problem with this is for domains these may change, when you look at Cloud you can see that many services (such as load balancers and CDNs) will be changing their IP address.
The ideal solutions is that you would deploy a software (running on EC2) that is able to filter outbound traffic based on domain name. There are solutions on the AWS Marketplace, as well as filtering using a dumb proxy.
The network setup would involve you creating a number of subnets containing the EC2 instances. These would have a route table forwarding all traffic (0.0.0.0/0) to a NAT.
Then for all applications that need to have their outbound traffic filtered they would update their route table to route all traffic (0.0.0.0/0) to the ENI of one of the filtering hosts (ideally in the same AZ).
More information: https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/
You can configure Access Control Lists (ACL) and Security Groups to filter outbound traffic. However, both of those tools only allow filtering based on IP address, not domain.
If you are confident that the IP addresses won't change, then you can configure these services. If you aren't interested in maintaining a blacklist, then you might need to check on some OS-level limits.
The simplest and easiest way is to implement an Aviatrix FQDN egress filter. It just serves the purpose from a centralized user interface to whitelist/blacklist the URLs in every VPC.
Next Generation Firewall (NGFW) implementation, just to achieve URL / FQDN filtering is an overkill, esp. from the cost point of view whereas proxy implementation has its complexity and doesn't provide centralized control, every VPC has to be managed separately.
The easiest way is to get an Aviatrix launch partner like SDxWORx, enable it with discounted PAYG pricing.
https://aws.amazon.com/marketplace/pp/prodview-laruhupdkcpuy/
I able to find that in my research there are some of the ways to find all our aws resources but will you suggest any solution to find public resources in aws our account.
Unfortunately, there is no easy way that you can find all resources that are allowed to communicate with outside world. However, the only way for most of the resources in AWS can connect to the internet through a VPC that is configured to allow access to 0.0.0.0/0 network with Security Group and ACL. So what you can do is to search for VPC ID on resources categories and if any results you get can connect to the internet.
This can be a very tedious task and this is NOT 100% guaranteed to find all resources as some resources has self-sustained VPC per resource such as S3. So my suggestion is you get used to using tags for resources.
Also maybe think about using infrastructure as code approach using something like Terraform.
If you have all of your instances in a VPC you could enable VPC Flow Logs on your VPC and then monitor all VPC traffic that way.
For the instances that are not in VPC's you could have CloudWatch logs enabled for that instance and then monitor the traffic that way.
Your instances should have security groups attached to them so that you could monitor the rules, and see if you have an OutBound Set to 0.0.0.0/0
You can give Netflix's Security Monkey a try. The tool will make a complete report of all secure and insecure AWS assets including Security Groups, IAM Policies and S3 Buckets. In fact, it also provides a ticketing like system to collab on such problems.
You can use IAM Access Analyzer console
We are having several microservices on AWS ECS. We have single ALB which has different target group for different microservices. We want to expose some endpoints externally while some endpoints just for internal communication.
The problem is that if we put our load balancer in public VPC than it means that we are exposing all register endpoints externally. If we move load balancer to private VPC, we have to use some sort of proxy in public VPC, which required additional infra/cost and custom implementation of all security concerns like D-DOS etc.
What possible approaches we can have or does AWS provide some sort of out of the box solution for this ?
I would strongly recommend running 2 albs for this. Sure, it will cost you more (not double because the traffic costs won't be doubled), but it's much more straight forward to have an internal load balancer and an external load balancer. Work hours cost money too! Running 2 albs will be the least admin and probably the cheapest overall.
Checkout WAF. It stands for web application firewall and is available as AWS service. Follow these steps as guidance:
Create a WAF ACL.
Add "String and regex matching" condition for your private endpoints.
Add "IP addresses" condition for your IP list/range that are allowed to access private endpoints.
Create a rule in your ACL to Allow access if both conditions above are met.
Assign ALB to your WAF ACL.
UPDATE:
In this case you have to use external facing ALB in a public subnet as mentioned by Dan Farrell in comment below.
I would suggest doing it like this:
one internal ALB
one target group per microservice, as limited by ECS.
one Network load balancer(NLB), with one ip based target group.
The Ip based target group will have the internal ALB ip addresses,as the private ip addresses for ALB are not static, you will need to setup cloudwatch cron rule with this lambda function(forked from aws documentation and modified to work on public endpoints as well):
https://github.com/talal-shobaita/populate-nlb-tg-withalb/
Both ALB and NLB are scalable and protected from DDOS by AWS, AWS WAF is another great tool that can be attached directly to your ALB listener for extended protection.
Alternatively, you can wait for AWS to support multiple target group registration per service, it is already in their roadmap:
https://github.com/aws/containers-roadmap/issues/104
This how we eventually solved.
Two LB one in private and one in public subnet.
Some APIs meant to be public, so directly exposed through public LB.
For some private APIs endpoints need to be exposed, added a proxy in public LB and routed those particular paths from public LB to private LB through this proxy.
These days API Gateway is the best way to do this. You can have your API serve a number of different endpoints while serving only the public ones via API Gateway and proxying back to the API.
I don't see it mentioned yet so I'll note that we use a CloudMap for internal routing and an ALB for "external" (in our case simply intra/inter-VPC) communication. I didn't read in depth, but I think this article describes it.
AWS Cloud Map is a managed solution that lets you map logical names to the components/resources for an application. It allows applications to discover the resources using one of the AWS SDKs, RESTful API calls, or DNS queries. AWS Cloud Map serves registered resources, which can be Amazon DynamoDB tables, Amazon Simple Queue Service (SQS) queues, any higher-level application services that are built using EC2 instances or ECS tasks, or using a serverless stack.
...
Amazon ECS is tightly integrated with AWS Cloud Map to enable service discovery for compute workloads running in ECS. When you enable service discovery for ECS services, it automatically keeps track of all task instances in AWS Cloud Map.
You want to look at AWS Security Groups.
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
Even more specific to your use-case though might be their doc on ELB Security Groups. These are, as you may expect, security groups that are applied at the ELB level rather than the Instance level.
Using security groups, you can specify who has access to which endpoints.
I am trying to find a simple solution to the following problem. I have 2 microservices in AWS behind VPN on machines with a static IP (which won't change) behind VPN (so it's visible by another AWS instances in the same security group) and then I have another microservice on GCP (Kubernetes), which needs to access these (basically for aa very simple and very occasional HTTP POST requests). What would be the easiest way to do so? I was thinking about specifying IP addresses of my Kubernetes pool instances to inbound rules in the AWS security group for those two microservices, but that is dangerous because of the dynamic nature of these...
I found some solutions using tunnels and cetera, but most of the guides were either outdated or doesn't suite to my needs. They e.g. require to create a new VPC, while I want to reuse the existing one. I am sure it's the way, but seems as a huge overkill to me. Couldn't I e.g. somehow leverage Ingress or some simple proxy container?
Thanks!
I solved it by using two proxies.