Question
Tried to find a way to put DynamoDB in a VPC but could not find so far.
For Lambda, it can be inside a VPC with ENI having an IP from a VPC subnet, and then the Lambda does not have any internet connectivity without NAT.
Please confirm, DynamoDB has no such feature and it is always internet facing, although we can route the traffic not to go to the Internet via DynamoDB VPC endpoint.
That is correct. You can use IAM policies with conditions to limit access to within a VPC, however. Restricting Access to a Specific VPC
Your are right, DynamoDB always internet-facing. Is it bother you? Access to DynamoDB denied without IAM authentication
DynamoDB Preventative Security Best Practices -
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/best-practices-security-preventative.html
TLDR, main points -
1. Use IAM policy conditions for fine-grained access control
2. Use a VPC endpoint and policies to access DynamoDB
3. Encryption at rest
4. Use IAM roles
Related
I have the following AWS VPC configuration:
2 public subnets
2 private subnets
Cloudfront is in front of the load balancer. The load balancer is linked to the public subnets and my RDS database reside in the private subnets.
What i want to accomplish is:
Create an API Gateway (publicly accessible) but restricted to only a specific IP address that can access it. The API Gateway is connected to a lambda function that, when called/triggered, the function must update some table data of my (private) RDS Postgres instance.
From my understanding the first step would be to create an IAM role for the lambda function to be only accessible by the IP address mentioned above.
Now what is the best way to access a private RDS from that lambda connected to API Gateway? Especially without using Nat Gateway because of the crazy cost associated to it.
Can someone help me just figure out how to do it, i am referring to the high level understanding how to do it?
As Norman said in their comment, you can control access to your API in API Gateway, and limit it to certain IP addresses, with API Gateway Resource Policies. This will at the same time control access to your Lambda that's behind that API.
You can then edit the Lambdas Configuration -> VPC setting and add it to a subnet that has access to your RDS database (and put it either in the same subnet as the database, or another subnet that has access permissions to the RDS subnet). To connect your Lambda to a VPC, the Lambda execution role will need the following permissions
ec2:CreateNetworkInterface
ec2:DescribeNetworkInterfaces
ec2:DeleteNetworkInterface
They are for example included in the managed policy AWSLambdaVPCAccessExecutionRole. Here you can read more about configuring a Lambda for VPC access.
How to enable VPC access for AWS CodeBuild/Code Pipeline?
I am working on the Neptune database and it requires VPC to access. While building code inside AWS CodeBuild. My tests are failing because it's not able to access the Neptune database. How can I configure the pipeline to allow CodeBuild to access the VPC?
This AWS Documentation guide will help you to configure your Code Build Project with your VPC.
But I am sure, you must have gone through it. Please share the error as well.
Link
Select environments from your CodeBuild project settings and in the advanced setting section you can select VPC, subnet and security group for your project.
For Subnets, choose a private subnet that has routes to your db. If internet access required, NAT gateway must be attached in the route table of private subnet. CodeBuild only works with Nat not with public subnet for internet access.
Be sure you have enabled AWS IAM authentication on your Neptune database config. You then need to allow the role you are running CodeBuild under to access that Neptune database. you will then be able to access it. Assuming it is an IAM error, please post more information if this is not the case. You will need to ensure the role you run as has the correct permissions to query Neptune.
There are detailed documents here on how to do this.
You can assign a managed policy to your role the following are available
NeptuneReadOnlyAccess
NeptuneFullAccess
NuptuneConsoleFullAccess <-- not really applicable to a CI process.
I able to find that in my research there are some of the ways to find all our aws resources but will you suggest any solution to find public resources in aws our account.
Unfortunately, there is no easy way that you can find all resources that are allowed to communicate with outside world. However, the only way for most of the resources in AWS can connect to the internet through a VPC that is configured to allow access to 0.0.0.0/0 network with Security Group and ACL. So what you can do is to search for VPC ID on resources categories and if any results you get can connect to the internet.
This can be a very tedious task and this is NOT 100% guaranteed to find all resources as some resources has self-sustained VPC per resource such as S3. So my suggestion is you get used to using tags for resources.
Also maybe think about using infrastructure as code approach using something like Terraform.
If you have all of your instances in a VPC you could enable VPC Flow Logs on your VPC and then monitor all VPC traffic that way.
For the instances that are not in VPC's you could have CloudWatch logs enabled for that instance and then monitor the traffic that way.
Your instances should have security groups attached to them so that you could monitor the rules, and see if you have an OutBound Set to 0.0.0.0/0
You can give Netflix's Security Monkey a try. The tool will make a complete report of all secure and insecure AWS assets including Security Groups, IAM Policies and S3 Buckets. In fact, it also provides a ticketing like system to collab on such problems.
You can use IAM Access Analyzer console
I am facing a problem to access SimpleDB database from my VPC enabled Lambda function.
Below are the things which I have already done for VPC enabled lambda :
1. I have already set up my VPC configuration which includes NAT Gateway setting,Public and Private subnet and also Security Group and also created elastic IP for the same.
2. I have already tested my VPC enabled lambda by calling third party API to check internet access to my VPC enabled lambda and it is working fine.
3. I have also added SimpleDB permission policies for my VPC enabled Lambda role.
4. Also, I checked SimpleDB connection in lambda code without VPC and it is working fine.
But when I am trying to access SimpleDB with VPC enabled, it is resulting into timeout error.
Can anyone please help me out on this ?
I would like to restrict access to objects stored in an Amazon S3 bucket.
I would like to allow all the users on our LAN (they may or may not have amazon credentials since the entire infrastructure is not on AWS). I have seen some discussion around IP address filtering and VPC endpoint. Can someone please help me here? I am not sure if I can use VPC endpoint since all users on our lan are not in Amazon VPC.
Is this possible?
Thanks
Most likely your corporate LAN uses static IP addresses. You can create S3 policies to allow access (or deny) based upon IP addresses. Here is a good AWS article on this:
Restricting Access to Specific IP Addresses
VPC Endpoints are for VPC to AWS Services connectivity (basically using Amazon's private Internet instead of the public Internet. VPC Endpoints won't help you with Corporate connectivity (except if you are using Direct Connect).
Here is how I would solve it,
Configure
Configure Users from a corporate directory who use identity federation with SAML.
Create Groups
Apply Policies to Group
This will give fine-grained control and less maintenance overhead.
This will help you not only to control S3 but any future workloads you migrate to AWS and permissions to those resources as well.
IP based filtering are prone to security risk and with high maintenance in the long run and not scalable.
EDIT:
Adding more documentation to do the above,
Integrating ADFS with AWS IAM:
https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/
IAM Groups:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html