So I have an EC2 instance that has a web server. In the security groups I allowed incoming traffic on 80 and 443 but removed all the outgoing traffic for security reasons.
My application uses AWS SNS and SMTP, and of course whenever it tries to connect to these services it fails since the outbound traffic is blocked. How can I restrict the outbound traffic to just these services without using a proxy? I tried to check VPC endpoints but didn't find SNS and SMTP in the list.
You will need to enable the ports that these services need to receive your requests. Most AWS services use a REST interface which requires HTTPS (443).
For SNS you will need to enable port 443 outbound.
For SMTP you will need to look up the ports that you configured. For SES this is usually ports 465 or 587.
Amazon publishes ip-ranges.json which contains a list of IP addresses for AWS. You can create a Lambda function to automatically update your security groups with these addresses.
I would not block all outbound ports. Instead I would control where the instance can connect to using security groups and ip-ranges.json. Then I would test that you can still install updates, etc. If your instance is Windows based, then you have another can of worms adding the Microsoft sites.
IMHO: Unless you really need this level of control and security and are prepared to spend a lot of time managing everything ...
AWS IP Address Ranges
Example project:
How to Automatically Update Your Security Groups
To add to John's answer,
last month AWS released a product called "AWS PrivateLink" which enables people to advertise services within a VPC much like S3 endpoints do today. AWS will be publishing AWS services the same way in the coming months, so this may only be a short-term problem for you.
More information can be found https://aws.amazon.com/about-aws/whats-new/2017/11/introducing-aws-privatelink-for-aws-services/
Related
I have an ec2 host in AWS Ireland. I am connecting to a host that is near AWS Tokyo, but not within AWS Tokyo.
I want my TCP packets to enter the AWS network at Tokyo, and then be routed over the AWS network to Ireland. I've noticed that this is both lower latency and higher bandwidth than routing over the open internet. However, it seems that the packets instead flow over the open internet until Ireland.
Is there a way to force the networking route to enter AWS at Tokyo instead of Ireland?
In AWS routing the destination must be the target host, if it is not AWS will discard the packets. The exception to this rule is with NAT routing, which explicitly for a NAT instance you must disable the source/destination check.
If you explicitly want it to join at Tokyo you would need to configure your endpoint in the Tokyo region, then have it receive the payload before it then forwards it to the Ireland VPC (using a peering connection). To forward the payload you would need an application that forwards this to the region.
If you're instead trying to make use of the closest edge location to the user then you would want to either look at using CloudFront or Global Accelerator. Both of these will use local AWS PoP and then forward traffic via the AWS backbone to reach its target.
Please help
We blocked all the outgoing traffic by removing 0.0.0.0/0 and added only our VPC so as our application connects to the EC2
Now the problem is EC2 is not able to communicate with any of AWS Services itself; we are not able to use SSM, update our RPM, etc. ..
we added few of the IP range based on the errors we faced; which we fear not the correct way of blocking the outbound connections
Thank you, appreciate your support in advance
You should actually take a look at using VPC endpoints where possible within your VPC.
If you configure these outbound communication will be via the subnet ranges that the interface endpoints are located in with the exception of S3 and DynamoDB.
If you use either of these services, in the outbound of the security group you can whitelist the source of the prefix list for these services.
By doing this its easier to manage (AWS IP ranges change all the time), and is more secure as the egress stays within the AWS network never connecting to the service endpoints via the public internet.
If this approach is not for you, you would need to subscribe to ip-range changes which would trigger a Lambda function. This Lambda function would access the ip-ranges.json file and retrieve all ranges valid for your application. These IP ranges would then be added to a customer managed prefix list that you define.
The prefix list would be added as an outbound destination allowing port 443 (HTTPS) outbound access, of course this method would require you to build the Lambda function.
I am trying to setup AWS Workspaces and all works fine. I also have a requirement to restrict certain websites like Google Drive, Dropbox, etc. on my AWS instance. How can I add these web access restrictions? Is it possible to configure and reply AWS firewall thru which these restrictions are applied?
Any help/suggestions will be highly appreciated.
There are multiple ways to achieve that.
You can use some endpoint protection that allow web filtering e.g. Sophos, Trend Micro, ...
You can use a firewall appliance that allows to control the web traffic.
https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=firewall
You can use the new AWS Network Firewall to control the web traffic.
From: AWS Network Firewall Features
AWS Network Firewall supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, Server Name Indication (SNI) is used for blocking access to specific sites. SNI is an extension to Transport Layer Security (TLS) that remains unencrypted in the traffic flow and indicates the destination hostname a client is attempting to access over HTTPS. In addition, AWS Network Firewall can filter fully qualified domain names (FQDN).
I have a Python server (basic REST API) running on an AWS EC2 instance. The server supplies the data for a mobile application. I want my mobile app to connect to the python server securely over HTTPS. What is the easiest way that I can do this?
Thus far, I've tried setting up an HTTP/HTTPS load balancer with an Amazon certificate, but it seems that the connection between the ELB and the EC2 instance would still not be totally secure (HTTP in a VPC).
When you are securing access to an REST API in an EC2 instance, there are several considerations you need to look upon.
Authentication & Authorization.
Monitoring of API calls.
Load balancing & life cycle management.
Throttling.
Firewall rules.
Secure access to the API.
Usage information by consumers & etc.
Several considerations are mandatory to secure a REST API such as
Having SSL for communication (Note: Here SSL termination at AWS Load Balancer Level is accepted, since there onwards, the traffic goes within the VPC and also can be hardened using Security Groups.)
If you plan on getting most of the capabilities around REST APIs stated above, I would recommend to proxy your service in EC2 to AWS API Gateway which will provide most of the capabilities out of the box.
In addition you can configure AWS WAF for additional security at Load Balancer(Supports AWS Application Load Balancer).
You can leverage some of the AWS Services to Handle these.
Question answered in the comments.
It's fine to leave traffic between ELB and EC2 unencrypted as long as they are in the same VPC and the security group for the EC2 instance(s) is properly configured.
I am seeking some guidance on the best approach to take with EC2 security groups and services with dynamic IP's. I want to make use of services such as SendGrid, Elastic Cloud etc which all use dyanmic IP's over port 80/443. However access to Port 80/443 is closed with the exception of whitelisted IPs. So far the solutions I have found are:
CRON Job to ping the service, take IP's and update EC2 Security Group via EC2 API.
Create a new EC2 to act as a proxy with port 80/443 open. New server communicates with Sendgrid/ElasticCloud, inspects responses and returns parts to main server.
Are there any other better solutions?
Firstly, please bear in mind that security groups in AWS are stateful, meaning that, for example, if you open ports 80 and 443 to all destinations (0.0.0.0/0) in your outbound rules, your EC2 machines will be able to connect to remote hosts and get the response back even if there are no inbound rules for a given IP.
However, this approach works only if the connection is always initiated by your EC2 instance and remote services are just responding. If you require the connections to your EC2 instances to be initiated from the outside, you do need to specify inbound rules in security group(s). If you know a CIDR block of their public IP addresses, that can solve the problem as you can specify it as a destination in security group rule. If you don't know IP range of the hosts that are going to reach your machines, then access restriction at network level is not feasible and you need to implement some form of authorisation of the requester.
P.S. Please also bear in mind that there is a soft default limit of 50 inbound or outbound rules per security group.