Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Is STS part of EC2 ip-ranges CIDR?

0

My customer, need to allow egress from VPC to STS service for VPC lambda to call STSClient.AssumeRoleAsync API call. Am I correct, assuming that they need to allow outgoing traffic to EC2 ip-ranges CIDR in their SG?

Temas
Cálculo
Etiquetas
Amazon EC2
Idioma
English
AWS-User-9314474
preguntada hace 7 años1010 visualizaciones
1 Respuesta
0
Respuesta aceptada

When dealing with AWS services it's generally a bad idea / almost impossible to get an authoritative set of IP addresses for a particular service unless it is explicitly called out in the ip-ranges.json file that we publish.

In the case of sts (sts.us-east-1.amazonaws.com, sts.us-east-2.amazonaws.com, etc etc etc) these are not called out explicitly and aren't part of EC2.

Instead I'd recommend configuring a proxy host that looks at the requested domain, and allowlists the sts endpoint(s) they'd like to access.

So add a squid proxy to the VPC in a public subnet configured to allowlist the sts endpoint(s) they want to communicate with. Configure the Lambda function to launch in the VPC, and use the IP address(s) / ELB of the Squid Proxy to proxy your STS calls.

AWS
AWS-User-5508656
respondido hace 7 años
profile picture
EXPERTO
Giovanni Lauria
revisado hace un mes

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante