VPC Security! it’s a must!

In this blog post we are going to take a look into Security Groups and Network Access Control List (NACL) in AWS. 

Also to understand what is the difference between them and how can we used them to increase our security in the cloud.

Security Groups

Before we going to talk on security group it’s important that you know how it’s looked like in AWS.

AWS Security groups

So what are security groups?!

  1. Control how traffic is allowed into or out of your EC2 Machine.
  2. Security groups are stateful (Return traffic is automatically allowed)
    • if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
  3. Can be attached to multiple instances
  4. Lockdown to a Region/VPC
  5. All inbound traffic is blocked by default
  6. All outbound traffic is authorised by default
  7. You can specify allow rules, but not deny rules.

You can also reference another security group instead of IP

Let’s take an example of that

 In this example we can see that EC2-1 and EC2-2 are allowed to send traffic to EC2-3.

Because EC2-3 have security group (named SG-200) with inbound rule that allowing access to any machine that have a security group (named SG-100) assigned to her.

Inbound EC2-3


SourceProtocolPort rangeDescription
The security group ID (sg-100)AllAllAllow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group.
Security group example

Now lets talked about Network Access Control List (NACL).

AWS NACL

Key Notes about NACL

  • Control traffic between different subnets in the same VPC
  • Stateless – We need to explicitly  open outbound traffic
  • Works at Subnet level – automatically applied to all instance
  • Contains both Allow and Deny rules
  • Rules are evaluated in the order of rule number 
  • Default NACL allows all inbound and outbound traffic
  • NACL are a great way of blocking a specific IP at the subnet level 
Inbound




Rule #TypeProtocolPort rangeSourceAllow/Deny
100All IPv4 trafficAllAll0.0.0.0/0ALLOW
*All IPv4 trafficAllAll0.0.0.0/0DENY
Outbound




Rule #TypeProtocolPort rangeDestinationAllow/Deny
100All IPv4 trafficAllAll0.0.0.0/0ALLOW
*All IPv4 trafficAllAll0.0.0.0/0DENY
NACL Example

Most important – by default subnets in the same VPC can communicate without any restrictions that is because NACL by default permits traffic inside the VPC.

It’s always recommended to use NACL to limit access between subnets.

Compare security groups and network ACLs

The following table summarizes the basic differences between security groups and network ACLs.

Security groupNetwork ACL
Operates at the instance levelOperates at the subnet level
Supports allow rules onlySupports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rulesIs stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow trafficWe process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later onAutomatically applies to all instances in the subnets that it’s associated with (therefore, it provides an additional layer of defense if the security group rules are too permissive)
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

AWS S3 Bucket – Secure File Sharing

In this blog post, we will create s3 bucket with a policy that only allow us to connect to a specific folder in the bucket and from specific ip.

The Main Advantages of this service:

  • Unlimited storage
  • Low Cost
  • Ability to transfer data to Cold/Archive Storage
  • Limit Access by IP and Folder
  • Have backup/redundancy
  • Can be created in any region.

Disadvantages

  • Hard to manage Users
  • Need basic knowledge with JSON and AWS
  • Limited to specific sftp client that support S3 Buckets

Lets Start,first lets create S3 Bucket

To create a bucket

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. Choose Create bucket.
  3. In Bucket name, enter a DNS-compliant name for your bucket. The bucket name must:
    • Be unique across all of Amazon S3.
    • Be between 3 and 63 characters long.
    • Not contain uppercase characters.
    • Start with a lowercase letter or number.After you create the bucket, you can’t change its name. For information about naming buckets, see Rules for bucket naming in the Amazon Simple Storage Service Developer Guide. Important Avoid including sensitive information, such as account numbers, in the bucket name. The bucket name is visible in the URLs that point to the objects in the bucket.
  4. In Region, choose the AWS Region where you want the bucket to reside. Choose a Region close to you to minimize latency and costs and address regulatory requirements. Objects stored in a Region never leave that Region unless you explicitly transfer them to another Region. For a list of Amazon S3 AWS Regions, see AWS service endpoints in the Amazon Web Services General Reference.
  5. In Bucket settings for Block Public Access, choose the Block Public Access settings that you want to apply to the bucket. (Please leave all settings enabled )
  6. After you successfully created a bucket Lets enter to the bucket and create Home Folder and inside the Home Folder we will create 2 more folder 1 in the name Devops and the second IT.

Now lets Create the IAM Policy

To create your own IAM policy

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. Choose Policies, and then choose Create Policy. If a Get Started button appears, choose it, and then choose Create Policy.
  3. In the create policy select the JSON Tab and paste this code. (Don’t forget to change the <Bucketname> and <YourpublicIP> in the JSON file to your actual bucket and your public ip where you coming from)
  4. Click on Review Policy give the policy a name and click on Create Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUsersToAccessFolder2Only",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::<Bucketname>/Home/Devops/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<Bucketname>"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "Home/Devops/**"
                    ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "<YourpublicIP>"
                    ]
                },
                "Bool": {
                    "aws:ViaAWSService": "false"
                }
            }
        }
    ]
}

After we created the policy lets create a IAM User and attached to him the new policy that we just created.

Creating IAM users (console)

You can use the AWS Management Console to create IAM users.

To create one or more IAM users (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Users and then choose Add user.
  3. Type the user name for the new user.
  4. Select the type of access this set of users will have. We will select programmatic access

Type the name of the policy that you previously created

Click next and Create A user.

Save the access key ID and secret access key in a secure location we will use it to connect to our bucket.

Thats it!! Lets now connect to our S3 Bucket

  1. Download Winscp
  2. File Protocol – Amazon S3
  3. Click on advance and put the remote directory
  4. Enter the key ID and Access key and click login
%d bloggers like this: