ACM.100 Utilizing an EIP to get a set IP deal with for EC2 situations and community interfaces
This can be a continuation of my collection of posts on Automating Cybersecurity Metrics.
In a earlier submit, I needed to change my IP deal with to an IP deal with that was already allowed via my native firewall with a purpose to join.
On this submit, I’ll exchange that current IP deal with with an Elastic IP (EIP) deal with. Through the use of an EIP, I’ll have a set IP deal with that may stay fixed when my EC2 occasion (VM) on AWS stops and begins. I may also level that IP deal with at totally different digital machines.
I’ll implement the EIP with a template from CloudFormation. Then I’ll affiliate that new IP deal with with the Developer EC2 occasion that we deployed.
Your organization might have an AWS Direct Join or a VPN to create personal connections to AWS. For some smaller companies, or in case you’re a single person connecting to your individual cloud account, you should utilize the straightforward choices I will introduce beneath to enhance the safety of your cloud sources. You might also want a static IP in some circumstances, akin to for a penetration take a look at or another connection to a 3rd social gathering with community restrictions, as I clarify beneath.
Default AWS EC2 Occasion IP Handle
If you deploy EC2 situations on AWS with a public IP deal with, you don’t management the IP deal with assigned to your occasion by default. AWS controls that. You’re going to get an assigned deal with from one of many many IP addresses within the AWS deal with area. As I wrote earlier than, you will discover them right here:
https://ip-ranges.amazonaws.com/ip-ranges.json
One of many issues with these random assignments of IP addresses is that it makes it very troublesome to construct firewall guidelines. You do not know which IP deal with it is advisable enable, so chances are you’ll find yourself simply permitting all AWS IP ranges. So what occurs?
Effectively, in some circumstances, attackers benefit from AWS and different cloud suppliers to hold out their assaults as a result of they know that is what you have accomplished. One instance was the photo voltaic wind hole. I defined how the attackers used Azure and AWS on this submit:
Firewall guidelines usually require an IP deal with or CIDR block. That will depend on whether or not the firewall is stateless or stateful, phrases I clarify in my guide on the finish of this submit and in earlier posts on this weblog. Stateless firewalls examine particular person packets that don’t have full utility layer information, akin to totally certified domains (FQDNS). A stateful firewall will reassemble packets for inspection and rule enforcement. There are causes every is useful in your general community structure.
Even when you should utilize a site title in your community guidelines, you’ll nonetheless run into issues with DNS in the case of firewall guidelines and EC2 situations. Your area title is configured to ship somebody to a specific IP deal with. You then resolve that it is advisable cease and begin your EC2 occasion. You now have a brand new IP deal with. Your DNS information not resolve to the proper host.
Another person begins an EC2 occasion and will get your previous deal with. Now your web site guests get one other machine. If that machine was serving as a server on a web site, your area could be pointing to a different web site!
I used to be extraordinarily involved about this concern when deploying a bastion host on Capital One. Builders have been supposed to make use of a site title to entry it and log in, presumably with manufacturing credentials. The particular person operating the DNS servers could not work out why a TTL of 1 hour was too lengthy.
Elastic IP Handle
As a substitute of counting on domains, we are able to use an Elastic IP (EIP) deal with in AWS to offer an EC2 occasion or load balancer or another useful resource a set IP deal with. You arrange a set AWS IP deal with and may then assign it to varied sources. You may as well disassociate an IP deal with and assign it to a brand new IP deal with later.
It’s totally versatile, however you are restricted to five per area for an IPv4 deal with.
Additionally, word that you’ll not be charged for an EIP in use, however in case you don’t have it assigned to any sources, you can be billed for it. Click on Elastic IP Addresses on this web page to view pricing.
An alternative choice is to carry your individual IP to AWS. This matter is extra difficult than we will cowl on this collection, however you’ll be able to examine it right here.
It additionally seems that you could request contiguous fastened IP addresses.
Why does it matter? For instance you have got 5 IP addresses. If the addresses are steady, you should utilize a single entry with a CIDR block to permit entry to your IP vary. In any other case you want a single rule in your community guidelines for every deal with. Now for example you are utilizing Energetic Listing and you need to open 50 separate ports and protocols (that is what I felt once I was making an attempt to implement it anyway). 50 x 5 = 250 guidelines.
Suppose you’re in a fancy community atmosphere that has been acquired by many firms and has many forests and timber for AD and none of them are contiguous. I’ve had flashbacks. You get the concept. That concern is a part of the rationale now you can add extra guidelines for safety teams in AWS than was once attainable. It was one other considered one of our function requests whereas at Capital One.
Thankfully, AWS has launched a brand new function that may assist with that drawback known as Prefix Lists. I’ll write extra about them in some posts. You may add a listing of IP addresses to a listing of prefixes and use it in safety teams and firewalls. Nonetheless, it will not work for AWS NACL.
Makes use of of elastic IP addresses to enhance safety
Generally clients need you to supply a set IP deal with for a penetration take a look at. I do not choose this method as a result of it’s totally straightforward to overlook one thing when simply utilizing a set IP that’s one way or the other blocked or processed in a different way than new IPs, but when it is a requirement I can use an EIP.
I began writing about my dwelling community and the way I’m organising and testing firewall merchandise. Sorry I am not accomplished with this but, I simply have too many pursuits, however I hope to be again quickly. I want the code for the collection I am writing for industrial initiatives, so it comes first. Nonetheless, you’ll be able to configure your own home firewall to solely enable SSH entry to particular hosts in case you assign an EIP. There are different methods, some higher than others. For instance, I do not like to make use of DNS companies that are not really vetted. A VPN could be one other good choice.
Moreover, you’ll be able to specify that solely sure IP addresses are allowed entry to sure cloud companies akin to GitHub. When you’re utilizing an EC2 occasion to obtain and entry code on a non-public GitHub account, you’ll be able to block it solely on the IP addresses you need to authorize. I will present you in a minute. I choose to solely use cloud companies that enable me to manage entry by way of IP addresses in that means.
Creating an EIP in CloudFormation
These are the properties accessible to us when creating an EIP in CloudFormation.
The one properties that basically trouble me are the next:
Labels — Label: I need to use a tag to determine the IP deal with with a reputation.
Occasion ID: we are able to affiliate the EIP with an EC2 occasion.
InstanceId isn’t required, so we are able to create the EIP and affiliate it at a later time utilizing the EIP Affiliation CloudFormation useful resource. This selection could also be required if an EC2 occasion has a number of interfaces or if you wish to affiliate the IP with a community interface as an alternative of an EC2 occasion.
Separation of duties for EIPs to keep away from community misconfigurations
The EIP ought to most likely be created on the community. Our community directors will management the creation of IP addresses. We’d additionally need them to manage which sources could be allotted to which IP addresses.
For instance you have got a rogue person who needs to entry a manufacturing useful resource however cannot. If that particular person can affiliate a useful resource that he’s not speculated to entry because of community guidelines with an EIP that he can entry via the firewall, it’s attainable that he can entry one thing that he should not.
See my earlier weblog submit for an instance the place I could not get my firewall previous AWS, so I disassociated an IP deal with from an current occasion and assigned it to the occasion I needed to connect with. 😀 Mwa-ha-ha. Do not let customers of your cloud atmosphere like me do these issues if they don’t seem to be speculated to. Additionally, by segregating permission to create EC2 situations from community administration, a community administrator would even be unable to take action. They’ve permission to create the IP deal with, however to not run a brand new EC2 occasion that may use it.
EIP CloudFormation dependency concerns
Alright, the community directors will create and assign EIPs so we have now some new dependency concerns. We want the community earlier than we are able to create the EC2 occasion, however the EC2 occasion earlier than we are able to create the EIP. We’ll need to create a separate deployment script for the EIP so we are able to correctly order all of the stuff in our take a look at and kill script.
Easy EIP Template
Let’s begin with a easy EIP template and see if it really works. I put this in EIP.yaml in my Networking CloudFormation (cfn) listing.
Subsequent, I must replace the deployment script, however word that we have to cross two parameters. How am I going to get the ID of the occasion? Keep in mind that we had a consequence once we created our developer EC2 occasion:
We will reference that in our deployment script. I’ll create a brand new deployment script known as deployment_eip.sh for the explanations talked about above. I will want to vary the ID of the occasion to reference that export, so I will cross within the title of the export and use the export with an ImportValue perform to get the ID of the occasion in my template:
I then added a perform to network_functions.sh
BTW, I initially used $title for my variable and obtained bizarre outcomes. So I want to maneuver this out of bash, however that is the quickest strategy to do the preliminary POC. Keep tuned for a greater choice (hope I’ve time).
Now I can name the perform from my deployment_eips.sh script.
And take a look at it…it labored. And our output for the EIP stack has the brand new IP deal with in case we’d like it. Observe that that is NOT my IP within the screenshot beneath, so do not name it 867–5309. When you’re previous you realize what I am speaking about. 🙂
You may as well check out the checklist of EIPs on the EC2 dashboard and verify your EC2 occasion to confirm that the IP deal with was assigned appropriately.
Additionally, you will see that public IP deal with in your EC2 occasion. Observe that although my occasion is stopped, it nonetheless has the general public IP assigned to it:
Now, that will or is probably not sufficient to assist you to connect with that host in AWS. It will depend on your native community. Within the subsequent submit, I’ll present you the way to configure native community firewall guidelines.
Observe for updates.
Teri Radichel
When you like this story please applaud Y proceed:
Medium: Teri Radichel or Electronic mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies by way of LinkedIn: Teri Radichel or IANS Analysis
© second sight lab 2022
All posts on this collection:
____________________________________________
Writer:
Cybersecurity for executives within the cloud period at Amazon
Do you want cloud safety coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Do you have got a query about cybersecurity or cloud safety? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity and Cloud Safety Sources by Teri Radichel: Cybersecurity and cloud safety lessons, articles, white papers, shows, and podcasts
– Deploying an AWS Elastic IP Address | by Teri Radichel | Cloud Security | Nov, 2022
