I have a application on EC2 Instance which connects to a website (github.com) to download application repository (say thrice a week or bit more frequently).
I like to block the access to my VPC using NACL; So no traffic other than from this website github.com (keeping in view that NACL are stateless) can go through.
The issue i am facing is that i cannot whitelist a website using NACL; since the IP based approach is not workable (the IP's are always changing).
Can someone suggest a better solution or a fix that we can apply here.
NACL cannot resolve DNS as this requires further OSI layer that has information about the HTTP protocol details.
One option you can do here is to place your EC2 instance behind a NAT gateway, thus effectively placing it in a private subnet and it would translate to an IP that will not change when facing the public internet such as an Elastic IP. In this way, you will be able to protect your EC2 instances while referencing a consistent IP address.
Another option is to use ssh-keygen to generate a public and private key pair which you will then copy over to the respective git repo (SSH key), then block any other protocols and traffic after establishing that one-to-one trust. A more secured version of this is tackled nicely in this post: EC2 can't SSH into github
Related
I need to access a AWS ElasticSearch (AES) domain, which is inside a VPC, from the internet, so that I can do read/write testing from a local machine. Ultimately, the code will run on an EC2 instance inside the VPC, but for now I need direct access. It would be ideal if the same code would run both outside and inside the VPC (as we do with DynamoDB), but we may not be that lucky.
Thus, I want to create a public endpoint to access the AES domain that is inside the VPC.
Since I have the AES internal endpoint name and the ENI connected to it, I thought I could just connect an Elastic IP address to the ENI, but that's not allowed -- I assume its because the internal IP address may change.
Alternatively, it would make sense that I could map a route in the route table from the IGW (Internet Gateway) to the internal address. But that would again be connected to the internal IP address, and thats bad.
I expect I could use Route53 to map an external facing domain name in to it. But that seems like overkill.
Is there way to map an address from the internet in to the AES domain name?
Is there way to map an address from the internet in to the AES domain name?
Sadly, there is no direct way. You have to setup a VPN connection between your home and your VPC, or some other type of proxy server. However, for testing and development purposes, usually this is done using SSH tunnel is more then sufficient. Setting up the SSH tunnel is explain in Testing VPC Domains of AWS Docs.
There are also numerous other manuals and tutorials on how to do it, e.g.:
How can I use an SSH tunnel to access Kibana from outside of a VPC with Amazon Cognito authentication?
I want to use an SSH tunnel through AWS Systems Manager to access my private VPC resources. How can I do this?
Elasticsearch api secure using SSH tunneling
I have four EC2 instances, three of them running api services and another running user interface (UI). The UI instance obtains the data over api calls to another instances. Right now everthing works fine becouse im using the public IP provided for eeach EC2 service for api calling. But, mi cocern is about what happend if the public ip of service change (for any reason)? then miy application go down becouse UI cannot get the data from services. After a little researching i have found that appers to be a solution: use a vpc for connect EC2 instances over private ip (because is static) and associed the UI instance to an Elastic IP (no problem here). Sow, i have some issues:
1) I make a test putting all instances in the same vpc (and sub net) but when I do ping from one to another the pings faild. Its my approach right? or i missing some thing?
2) I read a couple of another options but im not sure what is best: Maybe i have to use an Api Gateway?. Or a NAT Gateway?
3) What is the standar practice to communicate EC2 instances in private way?
1) I make a test putting all instances in the same vpc (and sub net) but when I do ping from one to another the pings faild. Its my approach right? or i missing some thing?
For security reasons, AWS block the ICMP traffic using security group. Please enable Ping traffic (ICMP) in security group from the Ip's you are trying to connect, it's better to allow the entire CIDR block for the VPC for all traffic, will make your life a lot easy. Please make sure you do this in a test Environment only.
2) I read a couple of another options but im not sure what is best: Maybe i have to use an Api Gateway?. Or a NAT Gateway?
Also, as you mentioned that your concern is that the public IP of the Instance will change, (definitely if your Instance stop/starts for any reason), but why don't you use Elastic IP for all of your Instances, that could be on of the solution, but using this approach all of your instances will be exposed to internet, so going with private IP is the best option.
3) What is the standard practice to communicate EC2 instances in private way?
It depends on the use case, if your Instances are in the same vpc no extra configuration is required, you only need to make sure the security groups, Network Access Control List and firewall configuration are correct.
In case if your instances are in different VPC, then you can use VPC Peering/Transit gateway.
1.) You need to update security groups with the permission to ICMP traffic.
Go to your VPC -> Select Security Groups -> Select the relevant security group -> Add Inbound/Outbound rule for all traffic with CIDR of the instance subnet.
2.) Internal network is the better way as long as all your traffic gonna be internal.
Thanks
I've read that the best security practice for making EC2 instances Internet-accessible is to place them in a private VPC subnet, create a Bastion host in a public VPC subnet and use a security group to only allow connections from the Bastion Host and then do key forwarding to login to private instances.
However, it seems AWS offers various configurations which seem to provide similar functionality to an actual Bastion host. For instance using a Security group on a public subnet seems pretty good, and if someone gets access to your Bastion it seems likely that they're not far away from your private keys. In any case, is there anywhere I could find more info on this topic?
It's a matter of minimizing attack surface.
With a bastion host your only exposure to the open internet (ex any load balancers) is port 22, which is backed by a relatively trustworthy piece of software.
It's also a single point of management: you define one security group that identifies IP addresses that are allowed to contact the bastion, and you create a single authorized_keys file that contains public keys of your authorized users. When a user leaves, you delete a line from each.
By comparison, if you rely solely on security groups to protect publicly-accessible hosts, you need to replicate the same settings on every group (and remove/update them as needed). And if you allow SSH access to those hosts, you have to distribute the authorized_keys file after every change.
Although I can't recommend doing this, it's at least rational to open port 22 on the bastion host for world access. If you have a lot of users, or those users connect via tethered cellphones, it may even be reasonable. That's something that you'd never, ever want to do with arbitrary services.
You can find best practices of using Bastion Host here: https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.html
Access to the bastion hosts are locked down to known CIDR scopes for
ingress. This is achieved by associating the bastion instances with a
security group. The Quick Start creates a BastionSecurityGroup
resource for this purpose.
Ports are limited to allow only the necessary access to the bastion
hosts. For Linux bastion hosts, TCP port 22 for SSH connections is
typically the only port allowed.
Note that it is pretty common to create an SSH tunnel to connect to a given resource through your Bastion Host: https://myopswork.com/transparent-ssh-tunnel-through-a-bastion-host-d1d864ddb9ae
Hope it helps!
Let me answer this question in a more simple way.
First one needs to understand the bastion host (some people call it a jump box).
The trick is that only one server, the bastion host, can be accessed via SSH from THE INTERNET (it should be restricted to a specific source IP address). All other servers can only be reached via SSH from the bastion host.
This approach has three security advantages:
You have only one entry point into your system, and that entry point does nothing but SSH. The chances of this box being hacked are small.
If one of your web servers, mail servers, FTP servers, and so on, is hacked, the attacker can’t jump from that server to all the other servers.
It’s important that the bastion host does nothing but SSH, to reduce the chance of it becoming a security risk
Hope this help to understand others!
I used the AWS Ethereum Template to deploy an Ethereum stack. The stats page works, and is showing the workers and mining stats, however, the explorer page is showing
'Allow Access to Geth and Refresh the Page'
I have recreated my stacks, and went over each step twice to make sure I wasn't missing something. I also followed some of the posts on fixing this issue (setting the IP manually in my app.js), but that didn't seem to work either.
I am not sure what code to provide, but will do so if anyone asks.
Template tutorial - https://docs.aws.amazon.com/blockchain-templates/latest/developerguide/blockchain-templates-getting-started.html
I had to put my Bastion host in the ec2 security group, instead of just the alb security group. the documentation does not say this, so I am wondering if I have something else not setup correctly. I am going to close this for now, but if I find the root cause, I will update.
The step is at the very bottom of this doc: https://docs.aws.amazon.com/blockchain-templates/latest/developerguide/blockchain-template-getting-started-prerequisites.html
edit: I opened up a pull request. Hopefully AWS can tell me what I did wrong, or if the documentation is actually wrong.
https://github.com/awsdocs/aws-blockchain-templates-developer-guide/pull/2
Putting your Bastion in the EC2 Security Group (private) defeats the purpose of having a Bastion. I'm a user too, and have managed to get past this step. You should notice that these instructions require the creation of 3 subnets: 1 private, and 2 public subnets in different zones of the same region. Your EC2 instances reside in the private subnet, your ALB in both public subnets, and your Bastion in one of the public subnets.
Once you setup the security groups, the public group (such as the Bastion instance) can be reached from the Internet, and the members of the public and private group have access to each other. So you can SSH into the Bastion, and from there either hop via another SSH or a FoxyProxy setup to the private EC2s.
I assume you're looking at the stats page while SSH-ing into the Bastion and using FoxyProxy to make your local machine a Bastion proxy with access to the "internal*" DNS addresses. The page itself is being serviced by the ALB machine. So if it's missing any access, it suggests to me that the private / public security groups may be missing inbound / outbound rules to each other, so I would double check that.
Hope this was helpful.
This has probably been answered elsewhere but I can't seem to find it!
I have a number of AWS EC2 instances that I am using as part of a project being built and I am now looking into securing the setup a bit. I want to lock down access to some of the ports.
For example I want to have one of the instances act as a database server (hosting mysql). I want this to be closed to public access but open to access from my other EC2 instances on their private IP's.
I also use the AWS auto-scaler to add/remove instances as required and need these to be able to access the DB server without having to manually add its IP to a list.
Similarly if possible I want to lock down some instances so that they can only accept traffic from an AWS Load Balancer. So port 80 is open on the instance but only for traffic coming from the Load Balancer.
I've looked at specifying the IP's using CIDR notation but can't seem to get it working. From the look of the private IP's being assigned to my instances the first two octets remain the same and the last two vary. But opening it to all instances with the same first two octets doesn't seem that secure either?!
Thanks
What you want to do is all pretty standard stuff, and is extensively documented in the AWS VPC documentation for Virtual Private Clouds. If your EC2 instances are not running in a VPC, they should be.
The link below should help, it seems to be your scenario:
Scenario 2: VPC with Public and Private Subnets (NAT)
The configuration for this scenario includes a VPC with a public
subnet and private subnet, and a network address translation (NAT)
instance in the public subnet. A NAT instance enables instances in the
private subnet to initiate outbound traffic to the Internet. We
recommend this scenario if you want to run a public-facing web
application, while maintaining back-end servers that aren't publicly
accessible. A common example is a multi-tier website, with the web
servers in a public subnet and the database servers in a private
subnet. You can set up security and routing so that the web servers
can communicate with the database servers.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html