Restrict the access to aws instance from specific IP - amazon-web-services

I want to set the security groups for the web server running in aws instance.My website should be accessible to through http/https. But file modification access to be set to particular IP address.I am currently connected to a Wifi router, and as I know IP that my PC assigned changes everytime.
Can someone please guide me on how to get a static IP address that I can allow access to my website.Thanks in advance.

You would need to see if you ISP can sell you a static IP - it's not always possible. I can't get one from my ISP when working from home, your ISP may be different for example.
However, if it is just you that needs static IP address (i.e. you as the developer/admin as opposed to users in the public), it is only a few clicks of the mouse to update the security rule thru the aws console each time you need elevated access. I do this for several servers running on EC2 which I keep locked down, and when I need to RDP into them, I open up the security groups to just my (dynamic) IP, and remove the rule when I am done - this will work if you only occasionally need access. You could also automate this process using a little scripting and/or lambda function.
Other option that I also do: I have an service that I need to access continually from a static IP - I use an another EC2 instance (with fixed IP) as the whitelist IP for this, and then I connect to that services by first connecting via RDP to the EC2 instance - and the EC2 instance with the fixed IP then accesses the service using its static IP.

You first have to know if your external IP changes if so you have to ask your ISP to change your IP to a static one
If it's the internal IP the one that changes but the external IP is the same you will have no problem accessing the aws.

Related

AWS Client VPN Client-Client Communication

I have an AWS Client VPN set up using certificate auth. I'm setting this up for a client-client access system, essentially as is described in this AWS scenario/example. It's all working, and I can ping from one client to another if I know their IP address.
My question is: in actual use, what use is this system if clients get assigned a random IP address every time they connect to the VPN, and there's no way to tell which clients are connected or what their IP addresses are without checking the AWS console or using the describe-client-vpn-connections CLI (which requires IAM credentials)?
Is there any way to:
Assign static IP addresses to specific clients, so they receive the same one every time they connect to the VPN?
Get a list of connected clients (with their CommonName and IP address)?
Use a connected client's host name / computer name instead of their random VPN IP address?
Any other way to connect from one client to another without having to use the AWS Console or describe-client-vpn-connections CLI to get a list of connected clients?
Much of what you're asking for is not possible. In many organizations, client-to-client communication is not the norm. For client-to-server communication, AWS Client VPN works well.
There is no way to assign static IP addresses to specific clients.
You can get a list of current connections and client IP addresses with the following AWS CLI command:
aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id (endpoint ID)
You might be able to get your clients to register via a shared DNS server to get their VPN IP address.
I suspect you'll have better luck rolling your own VPN solution with something like OpenVPN, which much of the AWS Client VPN is built off of.

Qualys Scanner in AWS - opening outbound FW ports

I'm setting up Qualys scanner in Amazon Web Services in an environment that restricts outbound access to the internet from the VPC. It does so completely.
So I'll need to open a ticket to get the outbound access it needs, and I have to specify each IP that the Qualys server will need to connect to.
I'm seeing this message in the logs:
Starting crond:
Preparing scanner personalization
About to test connectivity to qualysguard.qualys.com
Error: No connectivity to qualysguard.qualys.com - please fix.
About to test connectivity to qualysguard.qualys.com
My question is, do I need to open up access to just that one domain? Or do I have to open up access to more than that one domain. I have to be specific and cannot use wildcards in the request. This environment is extremely locked down for security reasons.
There are several ways you can restrict the access of your environment but also to allow certain ports.
AWS does not resolve on DNS names, so make sure you get the set of IP addresses that are to be allowed for access
Use ELB - allow certain ports and permit access for those ports/ip addresses
Port address translation - look in for applications that will allow particular ports from a set of ip addresses
move your application to public subnet and allow the specific port/ip addresses

Multiple server applications, one public IP on Amazon EC2

I have a single Windows Amazon EC2 instance and one public IP. The instance is running multiple web server EXEs which all sit on port 80. I want to have different domain names which I want to point to each server. On my old dedicated server I achieved this simply by having different public IPs, but with Amazon EC2 I want to keep to just one public IP.
I am not using IIS, Apache, etc. otherwise life would be a lot simpler (I would simply bind hostnames accordingly). The web server executables perform unusual "utility" tasks as part of a range of other websites, but still need to be hosted on port 80. There is no configuration other than address to bind to and port #.
I have setup several private IPs and bound each server application to those private IPs. Is it possible to leverage some of the Amazon networking products to direct the traffic to the correct private IP? e.g. I have tried setting up a private-DNS using Amazon Route53, and internally at least this seems to point to the correct servers - but not (perhaps logically) when I try to access the site externally.
In absence of any other solutions I decided to solve this using the blunt hammer approach and use a reverse proxy. Downside is my servers now only see the user IPs as 127.0.0.1 which was less than ideal, but better than nothing at all.
For my reverse proxy I used Redbird (uses node.js) but Nginx may also be an option. Both are free / open source.

Configuring AWS using ISP assigned IP?

I'm trying to host a website on AWS and I came across this:
If you are connecting through an ISP or from behind your firewall
without a static IP address, you need to find out the range of IP
addresses used by client computers. If you don't know this address
range, you can use 0.0.0.0/0 for this tutorial. However, this is
unsafe for production environments because it allows everyone to
access your instance using RDP.
My intention was to host my personal website. I connect through an ISP and do not have a static IP address and I'm not sure about the range of IP addresses.
Is there another way to solve this or would I be best to use a different web host such as godaddy, name.com, etc..?
The recommendation is that you don't allow RDP (or ssh if you go with a linux-based server) from the internet in general (i.e. 0.0.0.0/0).
Instead, you should restrict access to your ip (1.2.3.4/32). The problem with this is that when your ISP-provided IP address changes, you will be locked out until you adjust your security rules.
Now, for a personal web site, if you're not accessing it a lot, that's probably not a big deal. Chances are that your ip address doesn't actually change that often, and when it does you can remember to update the security group.
If you want to automate it, you can do this from a script that would query one of the many services that provide this, and then update the security group via the aws cli.
Finally, another option is to set up a VPN between your AWS VPC and your local network. This is probably overkill for your problem, but is something to consider when you want to extend your local network into AWS.
Here is a script that can automate the additional of an IP address to Inbound Security Group rules:
IP=`curl -s icanhazip.com`
aws ec2 authorize-security-group-ingress --group-name "RDS-SG" --protocol tcp --port 22 --cidr $IP/32

Amazon Elastic IP issues

I've read a lot of questions already posted on this topic but none seem to provide an answer that helps, so forgive me for the duplicate post if I missed one...
I setup an elastic beanstalk single instance application. I then ensure'd the EC2 instance that it spawned had a security group to allow port 80 incoming requests. I then created an elastic ip and associated the EC2 instance with the ip, but neither the public dns or the elastic ip will respond to http requests.
Any ideas why this might be an issue for me?
In my case the problem was, even though I'd associated my elastic IP to my instance and created firewall rules in new security groups to provide access, I hadn't associated my new security groups with my instance. To fix this, I used the Change Security Groups menu from my Instances screen:
This caused the following popup to appear, where, sure enough, my new security groups existed but weren't associated with my instance:
After I (1) checked the appropriate boxes and (2) clicked on Assign Security Groups, all was well.
In classic-EC2 scenario:
Make sure port 80 is allowed in your AWS security group.
Make sure port 80 is allowed in local operating based firewall on your system. OR disable the local firewall for the time being to narrow down the issue.
Make sure that your application is indeed listening on port 80. You can check this by running telnet 127.0.0.1 80.
If above 3 points are satisfied, I don't see a reason why you are not able to access your application on port 80.
Let us know in case you are using VPC and not classic-EC2.
BTW, when you attach elastic IP, the instance will drop the public DNS that it had earlier. So now you should work with elastic IP only.
I have had a case where the elastic IP address was itself not responding on a specific port number. When I associated the instance with a different elastic IP, everything worked fine. So I resolved the issue by allocating a new elastic IP address. Root cause: Amazon evidently does not have an effective internal process for validating the integrity of an elastic IP. Obviously that's a tall order considering the things outside their control that can happen, with denial of service attacks and etc.
It cost me a day of doing progressive isolation to get to this, which I would have never otherwise suspected.
Any chance there is also a firewall running on the machine? I know in windows I usually need to open the port on the windows firewall AND on amazon's security.