Some advice please. We have an instance on AWS. It hosts a web app on a single server. We would like to restrict access to the app (ports 80/443). We can't simply restrict connections through the firewall to a range of white listed IP Addresses because we don't know where our users will be coming from or if they will have static addresses. They are not very tech aware and would most likely not connect if it is complicated.
Is Amazon virtual private cloud a solution or would another solution get us to where we want to be. We are a non profit org and will not be charging people so we would like to accomplish this within our budget.
Ideally we would provide individual logins/passwords that we can share with people that would grant them access to the url. We are not sure how this can be accomplished but we think that restricting access on a server must be possible and need some guidance on the approach. It is new to us.
Thanks for reading.
Howard
You can restrict access to the box over 80/443 using security groups. Then, restrict access to the application with user ids and passwords.
Related
I have a publically exposed API, this is kind of a demo API.
I want to limit access from browser/client/machine to just 2 calls.
I was thinking to use IP to uniquely identify the client and limit it but CGNAT could be an issue so a lot of users can be denied the access if any one user under that IP uses it.
What are other way to achieve it?
API is in AWS.
Tried IP based solution but found CGNAT can be a issue.
Not sure what the right terms were to start this question but basically I have a downloaded UI tool that runs on 0.0.0.0:5000 on my AWS EC2 instance and my ec2 instance has a public ip address associated with it. So right now everyone in the world can access this tool by going to {ec2_public_ip}:5000.
I want to run some kinda script or add security group inbound rules that will require authorization prior to letting someone view the page. The application running on port 5000 is a downloaded tool not my own code so it wouldnt be possible to add authentication to the tool itself (Its KafkaMagic FYI).
The one security measure I was able to do so far was only allow specific IPs TCP connection to port 5000, which is a good start but not enough as there is no guarantee someone on that IP is authorized to view the tool. Is it possible to require an IAM role to access the IP? I do have a separate api with a login endpoint that could be useful if it was possible to run a script before forwarding the request, is that a possible/viable solution? Not sure what best practice is in this case, there might be a third option I have not considered.
ADD-ON EDIT
Additionally, I am using EC2 Instance Connect and if it is possible to require an active ssh connection before accessing the ec2 instances ip that would be a good solution as well.
EDIT FOLLOWING INITIAL DISCUSSION
Another approach that would work for me is if I had a small app running on a different port that could leverage our existing UI to log a user in. If a user authenticated through this app, would it be possible to display the ui from port 5000 to them then? In this case KafkaMagic would be on a private ip and there would be a different IP that the user would go through before seeing the tool
In short, the answer is no. If you want authorization (I think, you mean, authentication) to access an application running on the server - you need tools that run on the server. If your tool offers such capability - use it. It looks like Kafka Magic has such capability: https://www.kafkamagic.com/faq/#how-to-authenticate-kafka-client-by-consumer-group-id
But you can't use external tools, like AWS, that perform such authentication. Security group is like a firewall - it either allows or blocks access to the port.
You can easily create a script that uses the aws sdk or even just executes the aws CLI to view/add/remove an ip address of a security group. How you execute that script depends on your audience and what language you use.
For a small number of trusted users you could issue them an IAM user and API key with a policy that allows them to manage a single dynamic security group. Then provide a script they can run/shortcut to click that gets the current gateway ip and adds/removes it from the security group.
If you want to allow users via website a simple script behind some existing authentication is also possible with sdk/cli approach(depending on available server side scripting).
If users have SSH access - you could authorise the ip by calling the script/cli from bashrc or some other startup script.
In any case the IAM policy that grants permissions to modify the SG should be as restrictive as possible (basically dont use any *'s in the policy). You can add additional conditions like the source IP/range (ie in your VPC) or that MFA must be active for user etc to make this more secure (can be handled in either case via script). If your running on ec2 id suggest looking at IAM Instance Roles as an easy way to give your server access to credentials for your script (but you can create a user and deploy the key/secret to the server and manage it manually if you wanted).
I would also suggest creating a dedicated security group for dynamically managed access alongside existing SGs required for internal operation for safety. It would be a good idea to implement a lambda function on a schedule to flush the dynamic SG (even if you script de-authorising an IP it might not happen so its good to clean up safely/automatically).
Is it possible to restrict access to cloud.google.com to specific IPs?
When I create a principal I'm giving it a specific role, but I would like to give access for that user/s only if it log in from specific IP.
[EDIT] To clarify, access should be restricted to the whole project. F.e. I limit access to only IP1. User "A" logs in to cloud.google.com, chooses project and if he logged from IP2, he won't see anything ("you don't have access .." message, same as the role based restrictions if you go when you shouldn't).
If he connects from IP2 he should have access to everything he's role gives him.
Only limits I can find in documentation (also the IAP pointed by Arden) are restrictions TO something (app, resource, etc.) not FROM something.
So the question is, is it even possible to do something like that.
You need implement Identity-Aware Proxy (IAP) : Authenticate users with Google Accounts
When to use IAP
Use IAP when you want to enforce access control policies for applications and resources. IAP works with signed headers or the App Engine standard environment Users API to secure your app. With IAP, you can set up group-based application access: a resource could be accessible for employees and inaccessible for contractors, or only accessible to a specific department.
I have a cloud instance which I would like to restrict access to. I'm wondering what's the right way to do it.
The setup:
1. I've opened a Google Compute cloud access and it has an external IP a.b.c.d
2. I would like everyone to be accessing a.b.c.d to be automatically redirected to google authentication, and if the account meets the policy, they will be able to proceed
Can anyone suggest a proper way of doing that? without adding code to the application running in a.b.c.d, but by configuring cloud instance
Look into using the IAP (Internet Aware Proxy)... it can now be used to shield ssh requests. I've not done what you're trying, but I think it is what you're looking for.
I am new to AWS EC2. I want to set up a website only for my family members.
It will contain some content that is not necessarily private, but would be more appropriate if only family members can access.
IP address discrimination wouldn't work here as we may on the go and use other wifi.
I'm considering MAC code as the screening basis.
Is such access restriction allowed in EC2? Thanks.
Restricting is using MAC won't work, the devices will reach EC2 over a public Network and the MAC changes at every hop. I assume you would be interested in setting remote vpn/L2TP vpn ? EC2 can be used as VPN server and can be allowed from certain client, if no, try to setup a log in based page and create account for your family members.
Here a free open source tool to achieve it:
https://www.digitalocean.com/community/tutorials/how-to-sync-and-share-your-files-with-seafile-on-ubuntu-18-04
Cognito is designed for such things, you can manage there user accounts. You can add Application Load Balancer before your EC2 instance, which will forward to Cognito authentication - but this is a bit expensive solution for "family usage".
If there's no very fragile data on this website, you can use just BasicAuth, which will prompt for username and password on site-entry, or you can add standard login page in your website.
Least, but not last, is Lambda with ApiGateway (free tier allows to free usage of this service for ALOT of requests) - this is more programatically solution - but - it's up to you which one to choose.