独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

6 secure ways to connect AWS resources

How you access AWS resources from on-premises also define your security posture and cloud security principles.

What is the best way to connect securely from on-premises OR local machine.

Few questions to ask yourself :-

5 ways to connect to AWS resources securely :

If you have no connectivity back to on-premises from cloud (IPSEC or directconnect) and if we would like to access ec2/rds in private subnets from on-premises or local machine.

This is traditional way of connecting and have few caveats:

Cons:

Pros:

It’s a good practice to expose certain set of IP addresses from on-premises to cloud over port 22 and have all logs in centralized jumphost.

Pros:

Cons:

This is the best and recommended approach to connect to ec2 instances or use local port forwarding to access RDS or other AWS resources.

Pros:

Cons:

How-to-install (Steps):

Login to ec2 instance:

Local Port Forwarding example (Remote port is 443 and local port is 56789):

aws ssm start-session \
— target instance-id \
— document-name AWS-StartPortForwardingSession \
— parameters ‘{“portNumber”:[“443”], “localPortNumber”:[“56789”]}’ — region <region-name>

How-it-works:

Session Manager:

Port forwarding :

Cons:

Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). It’s primarily meant for public ec2 instances.

Cons:

Pros:

In general, ec2 instances should not be deployed in public subnets with port 22 access (unless there is some edge case/ business use-case).

Ec2 Instance connect EIC Endpoint allows you to connect securely to your instances and other VPC resources from the Internet. With EIC Endpoint, you no longer need an IGW in your VPC, a public IP address on your resource, a bastion host, or any agent to connect to your resources.

EIC Endpoint combines identity-based and network-based access controls, providing the isolation, control, and logging needed to meet your organization’s security requirements.

To create an EIC Endpoint with the AWS CLI, run the following command, replacing [SUBNET] with your subnet ID and [SG-ID] with your security group ID:

After creating an EIC Endpoint using the AWS CLI or Console, and granting the user IAM permission to create a tunnel, a connection can be established.

Once configured, you can connect using the new AWS CLI command, shown in the following figure:

To test connecting to your instance from the AWS CLI, you can run the following command where [INSTANCE] is the instance ID of your EC2 instance:

Once we have our EIC Endpoint configured, we can SSH into our EC2 instances without a public IP or IGW using the AWS CLI.

Also, you can connect private instances directly (without IPSEC or Directconnect) and enable logs to centralized S3 bucket for auditing purposes.

EIC endpoint is much better approach to access public ec2 instances.

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇

Add a comment

What is your view?

Send

Related posts:

A Return To Hope

Talk about low-hanging fruit. You’re thinking: “No, tell me this guy isn’t exploiting the death of the family dog to desperately try to make that first buck on Medium!” As my fingers flail around the…

injerto capilar turquia

Si tiene alopecia o está interesado en tener un trasplante de cabello, entonces un injerto capilar de Turquia podría ser una buena opción para usted. Se sabe que Turquía es un destino de bajo costo…

Trump Writes the Best Dialog

President Obama was often criticized for being remote and inaccessible. Part of that had to do with the fact that he spoke too eloquently. What was he hiding? Who was he really? The impression of…