Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Is STS part of EC2 ip-ranges CIDR?

0

My customer, need to allow egress from VPC to STS service for VPC lambda to call STSClient.AssumeRoleAsync API call. Am I correct, assuming that they need to allow outgoing traffic to EC2 ip-ranges CIDR in their SG?

Themen
Kalkulation
Tags
Amazon EC2
Sprache
English
AWS-User-9314474
gefragt vor 7 Jahren1010 Aufrufe
1 Antwort
0
Akzeptierte Antwort

When dealing with AWS services it's generally a bad idea / almost impossible to get an authoritative set of IP addresses for a particular service unless it is explicitly called out in the ip-ranges.json file that we publish.

In the case of sts (sts.us-east-1.amazonaws.com, sts.us-east-2.amazonaws.com, etc etc etc) these are not called out explicitly and aren't part of EC2.

Instead I'd recommend configuring a proxy host that looks at the requested domain, and allowlists the sts endpoint(s) they'd like to access.

So add a squid proxy to the VPC in a public subnet configured to allowlist the sts endpoint(s) they want to communicate with. Configure the Lambda function to launch in the VPC, and use the IP address(s) / ELB of the Squid Proxy to proxy your STS calls.

AWS
AWS-User-5508656
beantwortet vor 7 Jahren
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt