In a private subnet, We have an EC2(client) talking to server(another EC2) listening on a port.
client EC2 is assigned a role to get access to server EC2. Client and server are GOLang programs.
AWS role is mainly used to perform communication with AWS API calls between any two services(AWS) without specifying the credentials.
Does AWS role also help in client-server communication? to authenticate right client..
Not directly, no. You don't use IAM to control access between your client and your server. You use it to control access between your client and AWS services. IAM authenticates clients and authorizes them to perform specific actions against specific AWS resources.
One option that would allow your client to leverage IAM roles for authentication to your server's API would be to insert API Gateway between them. Another option is to use standard auth mechanisms such as bearer tokens, API request signing etc.
Note that, typically, you would use Security Groups to control which EC2 instances can actually talk to the server API on port N.
Related
Due to some security policies in our company we want to restrict access to VPN Client Endpoint for those users, who are using NOT the latest of AWS VPN Client installed on their laptops. I cannot find any references in AWS CLoudWatch or in Connection tab where I can check version of user client.
Does anyone have some ideas?
I can't figure out how to make them talk using API calls. Previously I used API Gateways which would trigger lambdas and that lambdas would interact with dynamodb and other services and send me back json response. Now I want to shift to EC2 instances and totally skip API gateway usage. And let a server I run in ec2 do the computation for me. Do I need to deploy a web service(DJango RESTFUL) in EC2 instance and then use it to call in my frontend? If yes I need little guidance how
And Suppose I want to access s3 storage from my DJango restufl in EC2. Can I do it without having to enter the access key and ID and use roles instead just like how I would access s3 from the ec2 instance without access key and ID. Traditionally with SDK we have to use access key and secret keys to even get authorized to use services in SDK so I was wondering if there was a way to get over this since the program will be running in EC2 instance itself. One really inefficient way will be to run a batch command that makes the EC2 interact with services I need without SDK and with roles instead but It is really inefficient and too much work as far as I can see.
As you are familiar with API Gateway, you can use the same to connect to your EC2 instance, its private integration, with the use of VPC Links.
You can create an API Gateway API with private integration to provide your customers access to HTTP/HTTPS resources within your Amazon Virtual Private Cloud (Amazon VPC). Such VPC resources are HTTP/HTTPS endpoints on an EC2 instance behind a Network Load Balancer in the VPC.
You can go though this document for step by step integration.
If you do not want to use API gateway any more, then you can simply use Route53 to route traffic to EC2 instance, all you need is the IP address of the EC2 instance and a hosted zone created using Route53.
Here is a tutorial for your reference.
I'm looking to setup an AWS API Gateway which will have private APIs (internal business client apps only)
One of the client apps that will be making requests to 1 of the apis is a client that is on-prem.
What options are available to authenticate requests coming from a client when that client is on-prem? Is there some type of tunnel I am able to create between the on-prem client on AWS VPC?
I dont want to at all make the APIs public. So I want to continue to keep all apis private. Any and all insights appreciated.
The following tools are provided to enhance the security of API Gateway.
Firstly there's support for a private API Gateway. By doing this it will only be accessible from the VPC and devices connected via VPN or Direct Connect to the API Gateway.
If it must be publicly accessible, but kept private you can lockdown he endpoint via either an API Gateway Resource Policy or by attaching a WAF to your API Gateway.
Finally if you need more advanced methods of authenticating and providing authorization to specific routes in your API, then you should look at API Gateways feature of Lambda Authorizers.
It looks like the simple answer is:
Option 1: Use Direct Connect
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
or
Option 2: Use AWS Site-to-Site VPN
https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html
I've an API that should only be accessed from another AWS account. I've followed some AWS documentation and this is what I've done:
Created an internal NLB in front of an ASG. All these are in a private subnet.
Created an API Gateway that connects to the NLB using a VPC Link.
Created a Custom Domain Name (via Route53) and set a certificate using ACM.
The resources use AWS_IAM as authorisation.
The resource policy grants the other account authorisation to the resource.
In the authorised account, I've created an EC2 instance and associated an IAM role with full access to the API Gateway.
When I try to connect signing the requests (using this), it works just fine. But the the request signing requires the AWS access key and secret key.
This doesn't sound right to me. What am I doing wrong? Is there another way of doing this without the credentials?
Cheers.
When required to provide the access key and secret key, I suppose you need to install the authorising app called Postman (please check out this doc:https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-use-postman-to-call-api.html).
Also, in your step 5, I think if you want to access the api gateway endpoint from an ec2, you have to firstly create a Role within that ec2 account, and then attach the Role to that ec2, finally grant the Role with api gateway permission in your current account.
I am new on AWS. I've been hosting an ASP.NET Web API on an AWS EC2 instance. I would like to access this web api securely through AWS API Gateway. I configured the AWS API gateway service successfully, however EC2 instance accepts and responses external api requests which are coming directly from the internet.
My web api should only accept and response aws api gateway requests.
What is the correct firewall rule(s) in security group of my EC2 instance? Or do I need to create a policy in AWS IAM user.
This configuration shouldn't be restrict aws internal traffic in order to allow access aws api gateway requests.
Thanks
You need to assign you EC2 instance under a security group. And configure the security group with inbound rules. Which will allow you to white list IP range, port, protocol etc.