Running software on amazon workspace - amazon-web-services

I am planning to use Amazon Workspace, to run a communication software which is restricted in a country where I am about to visit in few days, so what I was thinking is to use amazon workspace, but I was wondering if anyone can guide me if its safe to keep running any communication software with personal credentials on Amazon Workspace?
I have confusion if I run Workspace, will I get the same desktop each time? or if I log out from client it will end the existing desktop, and once I sign in again it will get me a new desktop with everything same as previous one?

Amazon WorkSpaces provisions a virtual server that is always "yours". Just keep it running and connect to it whenever you want to use it. It will continue exactly how you left-off, such as mid-sentence in a word processor.
Clients are available for Windows, Mac, iOS, Android and even via Web Browser so it should be easy to connect.
The only potential problem is if the country has blocked access to the AWS IP address range, which might happen if they want to block people from using VPN services.

I think it is a standard procedure for you to be cautious whenever you are using internet connection away from the trusted connection points. However, it is quite secure to keep running your communication software on AWS Workspaces. Their security protocol is advanced. You should also change your credentials on a regular basis.
You will always get the same desktop anytime you login and so that shouldn't be a problem.
Alternatively, you can checkout V2 Cloud's WorkSpaces they have an enterprise-grade security strategy to protect both your data and credential. They use multi-factor authentication to ensure that even if your credentials are stolen, the theif can't sign into your WOrkPSaces.
About having access to the same desktop, their desktop is very consistent and you will always have access to the same desktop. They will not only host your communication software, they will render to you via your web browser so you don't have to install any client application like in AWS WorkSpaces.
I hope that helps.

Related

Require authorization to access ec2 port

Not sure what the right terms were to start this question but basically I have a downloaded UI tool that runs on 0.0.0.0:5000 on my AWS EC2 instance and my ec2 instance has a public ip address associated with it. So right now everyone in the world can access this tool by going to {ec2_public_ip}:5000.
I want to run some kinda script or add security group inbound rules that will require authorization prior to letting someone view the page. The application running on port 5000 is a downloaded tool not my own code so it wouldnt be possible to add authentication to the tool itself (Its KafkaMagic FYI).
The one security measure I was able to do so far was only allow specific IPs TCP connection to port 5000, which is a good start but not enough as there is no guarantee someone on that IP is authorized to view the tool. Is it possible to require an IAM role to access the IP? I do have a separate api with a login endpoint that could be useful if it was possible to run a script before forwarding the request, is that a possible/viable solution? Not sure what best practice is in this case, there might be a third option I have not considered.
ADD-ON EDIT
Additionally, I am using EC2 Instance Connect and if it is possible to require an active ssh connection before accessing the ec2 instances ip that would be a good solution as well.
EDIT FOLLOWING INITIAL DISCUSSION
Another approach that would work for me is if I had a small app running on a different port that could leverage our existing UI to log a user in. If a user authenticated through this app, would it be possible to display the ui from port 5000 to them then? In this case KafkaMagic would be on a private ip and there would be a different IP that the user would go through before seeing the tool
In short, the answer is no. If you want authorization (I think, you mean, authentication) to access an application running on the server - you need tools that run on the server. If your tool offers such capability - use it. It looks like Kafka Magic has such capability: https://www.kafkamagic.com/faq/#how-to-authenticate-kafka-client-by-consumer-group-id
But you can't use external tools, like AWS, that perform such authentication. Security group is like a firewall - it either allows or blocks access to the port.
You can easily create a script that uses the aws sdk or even just executes the aws CLI to view/add/remove an ip address of a security group. How you execute that script depends on your audience and what language you use.
For a small number of trusted users you could issue them an IAM user and API key with a policy that allows them to manage a single dynamic security group. Then provide a script they can run/shortcut to click that gets the current gateway ip and adds/removes it from the security group.
If you want to allow users via website a simple script behind some existing authentication is also possible with sdk/cli approach(depending on available server side scripting).
If users have SSH access - you could authorise the ip by calling the script/cli from bashrc or some other startup script.
In any case the IAM policy that grants permissions to modify the SG should be as restrictive as possible (basically dont use any *'s in the policy). You can add additional conditions like the source IP/range (ie in your VPC) or that MFA must be active for user etc to make this more secure (can be handled in either case via script). If your running on ec2 id suggest looking at IAM Instance Roles as an easy way to give your server access to credentials for your script (but you can create a user and deploy the key/secret to the server and manage it manually if you wanted).
I would also suggest creating a dedicated security group for dynamically managed access alongside existing SGs required for internal operation for safety. It would be a good idea to implement a lambda function on a schedule to flush the dynamic SG (even if you script de-authorising an IP it might not happen so its good to clean up safely/automatically).

How to create a Linux VM in GCP/Azure/AWS which can be accessed over a browser

I am working on a project where a user clicks a link/button that says Access VM on a webpage, it should internally spin up a Linux based VM (using GCP, AWS or Azure) and provide the VM terminal in a new browser tab for the user to play around in the VM.
How can I achieve this using GCP/AWS/Azure? Which type of VM should I create so that the user can access the VM terminal over a browser without using an SSH client?
I tried creating a VM on Azure and explored the Bastion option. But this Bastion session should always be initiated from within the Azure portal.
Do we have any other option within GCP, AWS or Azure to achieve this?
I am looking for something similar to katacoda website.
There's no built in feature in GCP that will allow such thing possible. There is a button "SSH" in the VM's list but you have to be able to view the list and also have the permission to connect to the instance. But that requires to actually log into GCP which I believe is not what you want.
**You could try and built some solution that after clicking an "Connect" button you your website would send a series of commands to GCP's API to create & connect to the new isntance. It's possible but rather complicated.
Have a look at the documentation how to connect to VM using browser - maybe it will give yolu some ideas.
Ultimately use many other 3rd party tools but you still need to provide an address and credentials - additionally you rely on a service that you don't control so you have to take security (and reliability) into consideration.
At the end you may also consider going through general information how to connect to GCP's instances.

Customizing Server Certificate for Cloud SQL

When using the Google Cloud SQL instance, SSL can be enabled using the Server Certificate server-ca.pem downloaded from the Google Cloud SQL instance's Connections section. The Server Certificate seems to be only for a single instance. If I have multiple instances I will need to download and use multiple Server Certificates.
Is there a way to upload or customize the Server Certificate of the Google Cloud SQL instances that I am using? My goal is to use a single Root CA Certificate that can connect to all the Google Cloud SQL instances that I have. I read through the Google documentation and still not able to clearly understand whether it is possible. Appreciate any input from the community.
Example, for Amazon RDS, it supports a root certificate that works for all AWS Regions. I would like to understand whether there is something similar Google Cloud SQL is using.
Currently this is not possible. You can only manage client certificates as you mentioned. I found this Feature Request(FR) in the Public Issue Tracker. I would recommend you to "star" it to ensure that you receive updates about it. You can also adjust notification settings by clicking the gear icon in the top right corner and selecting settings.
The FR are evaluated by the number of users being affected by that. The more stars it have, the more possibilities to be developed it has.
In the end I don't think that having all the Instances with the same Certificate should be the best path to follow. I understand that this could help to reduce the amount of sensitive data managed, but in the end you "would never put all its eggs into one basket". This could be risky.

In AWS EC2, is there a way to allow access only to a designated device?

I am new to AWS EC2. I want to set up a website only for my family members.
It will contain some content that is not necessarily private, but would be more appropriate if only family members can access.
IP address discrimination wouldn't work here as we may on the go and use other wifi.
I'm considering MAC code as the screening basis.
Is such access restriction allowed in EC2? Thanks.
Restricting is using MAC won't work, the devices will reach EC2 over a public Network and the MAC changes at every hop. I assume you would be interested in setting remote vpn/L2TP vpn ? EC2 can be used as VPN server and can be allowed from certain client, if no, try to setup a log in based page and create account for your family members.
Here a free open source tool to achieve it:
https://www.digitalocean.com/community/tutorials/how-to-sync-and-share-your-files-with-seafile-on-ubuntu-18-04
Cognito is designed for such things, you can manage there user accounts. You can add Application Load Balancer before your EC2 instance, which will forward to Cognito authentication - but this is a bit expensive solution for "family usage".
If there's no very fragile data on this website, you can use just BasicAuth, which will prompt for username and password on site-entry, or you can add standard login page in your website.
Least, but not last, is Lambda with ApiGateway (free tier allows to free usage of this service for ALOT of requests) - this is more programatically solution - but - it's up to you which one to choose.

AWS Directory Service clarity

We're a growing shop that has no real user management. It's come the time to have single-sign-on. We host everything in AWS with the exception of an in-house desktop server that basically just hosts a NAS.
I'm only slightly familiar enough with Active Directory that I could set up an in-house domain and have it federate users. I've read the FAQs on AWS Directory Service and just looking to get clarity at what it can and cannot do.
My goal is to have an AD that can manage users in AWS as well as in-house. I'm unsure if I can do both in AWS DS or if it's just to handle the AWS portion.
Per the FAQ: AWS Directory Service makes it easy for you to setup and run directories in the AWS cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory
Does this mean that even if I ran AWS DS I'd still have to host an in-house AD and join them to manage users in AWS as well as in-house? I'd like to avoid having to run one on-premesis since my goal is to get everything into AWS.
You can use AWS SSO to manage authentication to the AWS console and AWS CLI and it integrates directly with AWS Managed Directory Services, so you can have all your authentication in one place. Take care to create a "break glass" IAM account in case you have issues in AD, lest you lock yourself out of AWS and therefore can't manage the AD servers.
https://docs.aws.amazon.com/singlesignon/latest/userguide/connectawsad.html