I am trying to setup AWS Workspaces and all works fine. I also have a requirement to restrict certain websites like Google Drive, Dropbox, etc. on my AWS instance. How can I add these web access restrictions? Is it possible to configure and reply AWS firewall thru which these restrictions are applied?
Any help/suggestions will be highly appreciated.
There are multiple ways to achieve that.
You can use some endpoint protection that allow web filtering e.g. Sophos, Trend Micro, ...
You can use a firewall appliance that allows to control the web traffic.
https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=firewall
You can use the new AWS Network Firewall to control the web traffic.
From: AWS Network Firewall Features
AWS Network Firewall supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, Server Name Indication (SNI) is used for blocking access to specific sites. SNI is an extension to Transport Layer Security (TLS) that remains unencrypted in the traffic flow and indicates the destination hostname a client is attempting to access over HTTPS. In addition, AWS Network Firewall can filter fully qualified domain names (FQDN).
Related
Is GCP Firewall able to allow ingress traffic based on a specific domain name?
I've googled about it and I didn't find any result on this.
All I know is it can allow or deny based on IP address.
A network firewall typically acts at the packet level and since network packets don't carry information about the domain, the standard GCP VPC Firewall will not let you do that.
What you are looking for is an Application Firewall (or Layer 7 Firewall). Google Cloud has another service called Cloud Armor that has WAF (Web Application Firewall) capabilities. I think that by using Cloud Armor and load balancers you might be able to do what you want.
I have my web app, written in vue, and deployed on S3 using static website hosting.
I also have an EC2 instance setup which will serve as the backend for my app.
My question is, I'd like to restrict access to the EC2 instance to only requests coming from the site hosted on S3. Is that possible?
I see in the security group for the EC2 instance, I can specify the inbound traffic rule to limit from a specific IP address. However I'm not sure how I can limit it to traffic from a particular domain
The S3 app speaking to your backend will actually be using the end users internet connection in order to communicate, so you cannot use a security group to prevent this access if your application should be available publicly.
You can however lock it down so that the application can only be called from valid domain(s) only.
To do this would need to be able to control traffic by the referer header, which would require you to configure an AWS WAF and add a rule set to allow where the referer header is your domain. Then for default logic it would need to block it.
To use a WAF it would need to attached to one of the following resources:
Application Load Balancer
CloudFront
API Gateway
The resource would sit in front of the EC2 host.
For more information take a look at the How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking blog post.
So I have an EC2 instance that has a web server. In the security groups I allowed incoming traffic on 80 and 443 but removed all the outgoing traffic for security reasons.
My application uses AWS SNS and SMTP, and of course whenever it tries to connect to these services it fails since the outbound traffic is blocked. How can I restrict the outbound traffic to just these services without using a proxy? I tried to check VPC endpoints but didn't find SNS and SMTP in the list.
You will need to enable the ports that these services need to receive your requests. Most AWS services use a REST interface which requires HTTPS (443).
For SNS you will need to enable port 443 outbound.
For SMTP you will need to look up the ports that you configured. For SES this is usually ports 465 or 587.
Amazon publishes ip-ranges.json which contains a list of IP addresses for AWS. You can create a Lambda function to automatically update your security groups with these addresses.
I would not block all outbound ports. Instead I would control where the instance can connect to using security groups and ip-ranges.json. Then I would test that you can still install updates, etc. If your instance is Windows based, then you have another can of worms adding the Microsoft sites.
IMHO: Unless you really need this level of control and security and are prepared to spend a lot of time managing everything ...
AWS IP Address Ranges
Example project:
How to Automatically Update Your Security Groups
To add to John's answer,
last month AWS released a product called "AWS PrivateLink" which enables people to advertise services within a VPC much like S3 endpoints do today. AWS will be publishing AWS services the same way in the coming months, so this may only be a short-term problem for you.
More information can be found https://aws.amazon.com/about-aws/whats-new/2017/11/introducing-aws-privatelink-for-aws-services/
I have a Python server (basic REST API) running on an AWS EC2 instance. The server supplies the data for a mobile application. I want my mobile app to connect to the python server securely over HTTPS. What is the easiest way that I can do this?
Thus far, I've tried setting up an HTTP/HTTPS load balancer with an Amazon certificate, but it seems that the connection between the ELB and the EC2 instance would still not be totally secure (HTTP in a VPC).
When you are securing access to an REST API in an EC2 instance, there are several considerations you need to look upon.
Authentication & Authorization.
Monitoring of API calls.
Load balancing & life cycle management.
Throttling.
Firewall rules.
Secure access to the API.
Usage information by consumers & etc.
Several considerations are mandatory to secure a REST API such as
Having SSL for communication (Note: Here SSL termination at AWS Load Balancer Level is accepted, since there onwards, the traffic goes within the VPC and also can be hardened using Security Groups.)
If you plan on getting most of the capabilities around REST APIs stated above, I would recommend to proxy your service in EC2 to AWS API Gateway which will provide most of the capabilities out of the box.
In addition you can configure AWS WAF for additional security at Load Balancer(Supports AWS Application Load Balancer).
You can leverage some of the AWS Services to Handle these.
Question answered in the comments.
It's fine to leave traffic between ELB and EC2 unencrypted as long as they are in the same VPC and the security group for the EC2 instance(s) is properly configured.
Is there any way I can have a load balanced endpoint that does not get exposed publicly in Azure?
My scenario is I have an endpoint running on multiple VM's. I can create a load balanced endpoint, but this creates a publicly available endpoint.
I only want my load balanced endpoint to be available for my web applications running in Azure (Web Workers and Azure Websites).
Is there any way to do this?
As #Brent pointed out, you can set up ACL's on Virtual Machine endpoints. One thing you mentioned in your question was the ability to restrict inbound traffic to only your web/worker role instances and Web Sites traffic.
You can certainly restrict traffic to web/worker instances, as each cloud service gets an IP address, so you just need to allow that particular IP address. Likewise, you can use ACLS to restrict traffic to other Virtual Machine deployments (especially in the case where you're not using a Virtual Network). Web Sites, on the other hand, don't offer a dedicated outbound IP address, so you won't be able to use ACLs to manage Web Sites traffic to your Virtual Machines.
Yes, Windows Azure IaaS supports ACL's on endpoints. Using this feature, you can restrict who connects to your load balanced endpoints. For more information see: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-acl/