AWS Security Token Service (STS) can only be accessed from the Internet, correct me if I am wrong.
My customer would like to access DynamoDB from an EC2 instance in the same AWS account.
The EC2 instance is in a private subnet without internet access. Does it mean EC2 instance cannot leverage STS? Is there a workaround for this? We try to avoid using permanent access key and secret key to access resources in AWS.
Not only STS, you need internet access to use any AWS service. For STS, the endpoint https://sts.amazonaws.com should be accessible. There are endpoints for each AWS service. The only service that doesn't need internet access is the metadata server http://169.254.169.254
If your security policy permits, you can add an internet route to your subnet through a NAT. You can let the instance access only certain IP address by setting the outbound rule in the security group.
Start from 2020 Dec onwards, you can use sts VPC endpoint in private subnet which doesn't have outbound internet access.
Related
Is there anyone who can explain me that situation below ?
I connected to Ec2 intance in private subnet via Bastion Host.Then I created a vpc gateway endpoint to reach s3. I assigned the required role to ec2 and the connection to s3 is done. My question is, how can Ec2 instance in private subnet download something from the internet?
A VPC endpoint is used to access a certain service, in this case S3, over the AWS network instead of over the internet.
If you want your instance to be able to talk to the internet, you'll need to configure a NAT gateway in a public subnet, and you'll need to configure the route table of the private subnet to forward traffic to the NAT gateway.
A simple solution would be:
Put everything in a Public Subnet
Assign a Public IP address to the Amazon EC2 instance
Use Security Groups to secure access on the Amazon EC2 instance (that is, only allow Inbound connections from the Bastion)
The effective result is the same as using a Private Subnet, but the EC2 instance will be able to establish Outbound connections to the Internet (but not Inbound, so it remains secure).
We're trying to access AWS Services from a private subnet in a VPC using a VPC endpoint or Private Link. We're trying to avoid adding a NAT gateway on the private subnet.
We created/added a VPC Endpoints (i.e. AWS Service for EC2 and S3)
com.amazonaws.us-east-2.ec2
com.amazonaws.us-east-2.s3
But we're not able to access something like com.amazonaws.us-east-2.iam; is there an iam endpoint or is this supported or is there any workaround
for us to use iam via VPC Endpoint on us-east-2?
Here's the error we're getting when we use the latest version of Java AWS SDK to get ec2 instance attached iam role programatically
org.apache.http.conn.ConnectTimeoutException: Connect to
iam.amazonaws.com:443 [iam.amazonaws.com/
Thanks for any information you can provide.
As of May 2022, VPC endpoint for IAM is not supported. You'd have to connect to IAM via internet. Or as a workaround, you can do IAM actions in CloudFormation.
I have create elastic service in AWS with Dev Testing(t2 small)
Detials shown below
VPCvpc-7620c30b
Security Groups
sg-7e9b1759
IAM RoleAWSServiceRoleForAmazonElasticsearchService
AZs and Subnets
us-east-1e: subnet-2f100a11
How to access my VPC endpoint https://vpc-xxx.us-east-1.es.amazonaws.com access from outside.
Kibana is below : https://vpc-xx.us-east-1.es.amazonaws.com/_plugin/kibana/
I am not running on Ec2 instance
From docs:
To access the default installation of Kibana for a domain that resides within a VPC, users must have access to the VPC. This process varies by network configuration, but likely involves connecting to a VPN or managed network or using a proxy server.
One way of setting up the proxy server has been explained in detail in the recent AWS blog post:
How do I use an NGINX proxy to access Kibana from outside a VPC that's using Amazon Cognito authentication?
The instruction could also be adapted to not using Congnito.
Extra links, with other, probably easier setup with ssh tunnels:
How to connect to AWS Elasticsearch cluster from outside of the VPC
How To: Access Your AWS VPC-based Elasticsearch Cluster Locally
SSH Tunnel Access to AWS ElasticSearch Domain and Kibana | Howto
How can I use an SSH tunnel to access Kibana from outside of a VPC with Amazon Cognito authentication?
VPC endpoints are not accessible directly from outside of the VPC.
If you want to allow this you will need to use a proxy instance in your VPC that can connect to the VPC endpoint, then proxy all requests through the EC2 instance in order to access the endpoint.
More information is available here.
An Elastic IP was assigned to EC2, and an ELK service was built in the EC2 instance. In the security group, we restricted the Kibana service on port 9000, and only allowed private addresses (VPC) in AWS VPC to access the Kibana service.
Now I need the Lambda function to access port 9000 through the EC2 private address, and the Lambda function can also access the contents of an S3 bucket when accessing through the EC2 private IP address.
How can I set this up?
Thank you!
The AWS Lambda function will need to be connected to the VPC. This will give it an Elastic Network Interface (ENI) with a private IP address.
To configure the security:
Create a Security Group for the Lambda function (Lambda-SG). Leave with default settings (Allow all outbound).
On the Security Group for the Kibana server, allow inbound connections on port 9000 from Lambda-SG (refer to it by name, then selecting it will insert the ID of the Lambda security group).
To allow the Lambda function to also access Amazon S3, choose one of the following:
Add a NAT Gateway to a public subnet and configure the Route Table of the private subnet (used by Lambda) to send 0.0.0.0/0 traffic to the NAT Gateway. OR
Add a VPC Endpoint for S3 to the VPC. This will route requests directly to S3 instead of going via the Internet Gateway.
I created an ElasticDomain in private subnet which has a VPC endpoint and a security group which allows access from port 443. We want to access this ElasticDomain from another AWS account's EC2 instance. But we are not able to do that.
We tried creating ElasticDomain with a public endpoint which is accessible from anywhere but is not the right option for us.
We are considering to use apache as a reverse proxy and then set up a VPC private-link on a consumer account. Is that a right approach?
AWS PrivateLink via VPC and Network Load Balancer doesn't support ElasticDomain for now.
Check out the following two links:
1) https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/
2) AWS ElasticSearch write to account "A" from lambda in account "B"