To avoid having to do this task by hand I wrote the following bash script that updates all security groups in all regions of an AWS account: #! /bin/bash So, this task of updating my own source public IP needs to be performed over and over again at least until I help them to improve their infrastructure and security. The fact is that in practice, many companies continue protecting access to their servers and services by only relying on EC2 security groups. Ideally, access should be provided through a jump box (also known as a bastion host) that can only be accessed using 2FA or MFA, all services should be protected on internal or private subnets without Internet access, and access to necessarily open ports such as 80/443 should only be provided through load balancers properly protected with a WAF and ACL rules and other protection services such as AWS Shield, etc.īut these are architectural issues that go beyond the scope of this article. Of course, it would be optimal if your infrastructure did not have servers with open ports to the outside. If, as in my case, you have multiple clients, each with numerous security groups in different geographic regions, then this task will be a considerable waste of time that you will incur over and over again. But opening traffic on a port to everyone is not the right way to proceed from a security point of view, because then any attacker will be able to access that port without restrictions, and that is not what you want.Ī much safer alternative is to restrict traffic to a certain port (for example SSH TCP/22 or RDP TCP/3389) only to your own public IP, because then you can be sure that only you will have access to that port (without considering of course IP spoofing attacks and others, from which on the other hand Amazon already protects you).īut of course, if your IP is dynamic and changes frequently, it is a big nuisance going over and over again editing one by one the different security groups in your infrastructure to update your IP. One of the biggest annoyances when working with AWS and your Internet connection has a dynamic IP is that when it changes, you immediately stop accessing to all servers and services protected by an EC2 security group whose rules only allow traffic to certain specific IP’s instead of allowing open connections to everyone (0.0.0.0.0/0).Ĭertainly the simplest thing to do is always allowing traffic on a given port to everyone, so that even if you have a dynamic IP on your Internet connection you will always be able to continue accessing even if it changes.
0 Comments
Leave a Reply. |