I need to restrict some workspaces internet access to approved IPs. The easiest (according to my understanding) would be to modify the d-xxxxxxxxxx_workspacesMembers security group Outbound rules. To test I just removed all Outbound rules (meaning no outbound access), but it seems like the workspace won't start up.
The short question is, where can I find a list of outbound access requirements so that I can whitelist them? All I can find are client internet requirements: https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html
The longer question is what is the best way to restrict outbound access? I'm not opposed to something like a squid proxy, but our requirements aren't that complex, a simple IP whitelist would be fine.
From my point of view, the right approach would be to use a Firewall Appliance or the AWS Network Firewall (or maybe a endpoint protection) to control the traffic.
From: Security Groups for Your WorkSpaces
Do not modify or delete the _controllers and the _workspacesMembers security groups. If you modify or delete these security groups, your WorkSpaces won't function correctly, and you won't be able to recreate these groups and add them back.
Alternatively also windows firewall rules rolled out via GPO should work, but not the best approach from my point of view.
Related
I have a large list of IPs (>100) that need to be whitelisted for both inbound and outbound communication on EC2 instances. Is there a way to whitelist them collectively? (The IPs also don't belong to a range and are discontinuous). We are currenlty using security groups for whitelisting IPs, but I couldn't find an easy way to whitelist a large collection of IPs.
PS- I tried exploring IP sets in AWS WAF, but it requires setting up an application load balancer, additionally since we are already using security groups, blocking IPs at the application layer (via WAF) will also block IPs that are already whitelisted at the EC2 level.
Thanks in Advance!
You can use managed prefix lists which allows you to make it easier to configure and maintain your security groups.
Keep in mind that every entry in the prefix list count as a rule in your SG, so probably you will need to request an increase of the default quota (60 inbound and 60 outbound rules per security group).
For an EC2 port access the best option you got is security groups. But you better use IaC to manage this such as Terraform or CloudFormation - it will help you to better manage the IP list and save them all in one file.
Here is a reference for Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
Another easy option is you maintain a csv file to store IP addresses and use a python script to update your security group. Since working with Excel/csv files are more popular you can easily find python scripts to read csv files and the use boto3 to update your security group.
Maintaining the whitelisted IPs in a Security group, which is the best option I believe, you don't need for both inbound and outbound.
Since Security group is stateful, you need to mention whitelisted IPs in inbound rule only.
(You may have different use case for outbound, which I am not sure)
However, I think the best way to handle it via an automation. You can create a Dynamodb table with different rule entries, enable dynamodb stream, any change triggers a Lambda which inturn creates/amends security group associated with the EC2.
You can use IP prefix list to simplify your design and use it where required.
You can use below link for more info.
https://aws.amazon.com/about-aws/whats-new/2020/06/amazon-virtual-private-cloud-customers-use-prefix-lists-simplify-configuration-security-groups-route-tables/
https://aws.amazon.com/blogs/networking-and-content-delivery/simplify-network-routing-and-security-administration-with-vpc-prefix-lists/
I know it's pretty late but you can allow all IPs on your security group and inside your ec2 machine if it's Linux based then set iptables to explicitly allow those ip addresses and block anything else.
iptables -A INPUT -s ip1,ip2,ip3 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d ip2 -j DROP
I have an Apache server running on an EC2 instance, from which I am serving a PHP webpage that lists EC2 instances under my account, allows for toggling them on/off, etc.
The problem is that the AWS SDK call (specifically describeInstances, but in general) can't reach the endpoint. I have looked into what IP ranges AWS uses, described here. I would like to avoid putting all of those IP ranges into my security group if possible. Because the endpoint resolves to different IPs in different requests, there doesn't seem to be one IP range that will work (besides 0.0.0.0/0, which I don't want to use).
Is there a way to allow outbound access to specifically AWS-provided services without manually entering all of these IP ranges? It seems like there should be a better way to do this.
I have EC2 Instance with Windows Server, i'm using it only with RDP. Can I somehow block outbound traffic from browser to specific domain (eg. abc.example.com) or URL? I'd rather do it in the AWS Dashboard so that RDP users do not have access to whitelist this domain/URL.
How can I achieve this? Thanks!
There is not a native AWS solution for this, of course you could allow only specific IP addresses. The problem with this is for domains these may change, when you look at Cloud you can see that many services (such as load balancers and CDNs) will be changing their IP address.
The ideal solutions is that you would deploy a software (running on EC2) that is able to filter outbound traffic based on domain name. There are solutions on the AWS Marketplace, as well as filtering using a dumb proxy.
The network setup would involve you creating a number of subnets containing the EC2 instances. These would have a route table forwarding all traffic (0.0.0.0/0) to a NAT.
Then for all applications that need to have their outbound traffic filtered they would update their route table to route all traffic (0.0.0.0/0) to the ENI of one of the filtering hosts (ideally in the same AZ).
More information: https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/
You can configure Access Control Lists (ACL) and Security Groups to filter outbound traffic. However, both of those tools only allow filtering based on IP address, not domain.
If you are confident that the IP addresses won't change, then you can configure these services. If you aren't interested in maintaining a blacklist, then you might need to check on some OS-level limits.
The simplest and easiest way is to implement an Aviatrix FQDN egress filter. It just serves the purpose from a centralized user interface to whitelist/blacklist the URLs in every VPC.
Next Generation Firewall (NGFW) implementation, just to achieve URL / FQDN filtering is an overkill, esp. from the cost point of view whereas proxy implementation has its complexity and doesn't provide centralized control, every VPC has to be managed separately.
The easiest way is to get an Aviatrix launch partner like SDxWORx, enable it with discounted PAYG pricing.
https://aws.amazon.com/marketplace/pp/prodview-laruhupdkcpuy/
From what I read, stateless firewalls are used more for packet filtering. Why is AWS NACL stateless?
NACLs force too big a range of ports to be opened for the ephemeral ports.
Is there a way to create stateful firewalls on AWS other than Security Groups? Security Groups feel too granular and may get omitted by mistake.
Network Access Control Lists (ACLs) mimic traditional firewalls implemented on hardware routers. Such routers are used to separate subnets and allow the creation of separate zones, such as a DMZ. They purely filter based upon the content of the packet. That is their job.
Security Groups are an added capability in AWS that provides firewall-like capabilities at the resource level. (To be accurate, they are attached to Elastic Network Interfaces, ENIs). They are stateful, meaning that they allow return traffic to flow.
In general, the recommendation is to leave NACLs at their default settings (allow all traffic IN & OUT). They should only be changed if there is a specific need to block certain types of traffic at the subnet level.
Security Groups are the ideal way to control stateful traffic going in and out of a VPC-attached resource. They are THE way to create stateful firewalls. There is no other such capability provided by a VPC. If you wanted something different, you could route traffic through an Amazon EC2 instance acting as a NAT and then you would have full control over how it behaves.
NACl is stateless. That means by default access is denied at inbound and outbound. If you allow some traffic (TCP or other) inbound, outbound has to be explicitly allowed (of course if you want that).
I am setting up EMR clusters on demand, and have a windows EC2 server as a workstation, and a linux EC2 server as a secondary server. All in the same VPC. I would like to avoid having to set security group rules each time an instances comes up with a new IP.
How would I simply allow any traffic to flow freely between all servers in the same VPC?
Thanks!
EDIT- Thanks for the replies, I know this is not good practice in production, but we are dealing with some issues tracking down functionality which we believe is caused by ports, this is just a exploration phase, and this will help us. Thanks!
In the security groups, assign incoming access to other security groups by specifying a security group ID instead of IP addresses. In the web console, if you start typing "sg" in the source field it will pop up a list of your security groups to choose from. Using a security group ID as the source allows all resources that belong to that security group to have access.
Alternatively, if you just want one rule that allows access to every resource in your VPC you would specify your VPC's IP range.
to Allow any traffic between ALL servers in the VPC is not a good practice.
you should rethink in your VPC purpose.
Any way, if you want a group of servers to communicate with each other you can create a Security Group
And Assign it for all servers that you want.
and in inbound rules you add one rule from type "All TCP" and the source of this rule will be the same Security Group.
if your Security Group ID is 'sg-xxxxxxxx'
then the rule will be like this:
All TPC | TCP | 0-65535 | custom | sg-xxxxxxxx
To add to the other answers here, if you really want this, you can set it up via the Subnet or VPC IP CIDR Block
For example, if your VPC is 10.0.0.0/16, then add that to your security groups and all VPC traffic should be able to flow to each other.