- Newest
- Most votes
- Most comments
Hi Deepak,
To restrict access to specific AWS endpoints from one AWS account to another using AWS Network Firewall, you can set up a stateful firewall rule using AWS Firewall Manager. Here's a step-by-step guide to achieve this:
-
Create an AWS Firewall Manager Policy:
- Go to the AWS Firewall Manager console.
- Create a new AWS Firewall Manager policy.
- Add a stateful rule group to the policy. In the rule group, define rules that allow traffic to specific endpoints and deny all other traffic.
-
Define the Rules:
In the rule group associated with your Firewall Manager policy, you can define rules to allow traffic to the specific endpoints you want while blocking all other traffic.
Here's an example of a rule group that allows traffic to the specified endpoints:
{ "Type": "STATELESS", "RuleDefinition": { "RulesSource": { "RulesString": "action aws:pass, " }, "StatelessRules": [ { "RuleDefinition": "in_IPSet is AWS_STS_IPSet or in_IPSet is AWS_RDS_IPSet or in_IPSet is AWS_KMS_IPSet or in_IPSet is AWS_EBS_IPSet or in_IPSet is AWS_IAM_IPSet or in_IPSet is AWS_EKS_IPSet or in_IPSet is AWS_AutoScaling_IPSet", "Priority": 1, "Action": { "ActionDefinition": { "PublishMetricAction": {} } }, "RuleOptions": [ { "Keyword": "action", "Settings": "aws:pass" } ] }, { "RuleDefinition": "action aws:drop, " } ] } }In this example, replace
AWS_STS_IPSet,AWS_RDS_IPSet, and other IP sets with the appropriate AWS IP sets for the services you want to allow. -
Associate the Policy:
- Associate the AWS Firewall Manager policy with the VPC that AWS Account A uses.
- Make sure that the associated VPC is peered or connected to the VPCs used by AWS Account B and AWS Account C.
-
Configure VPC Peering or VPC Connection:
- Establish VPC peering or VPC connection between the VPC in AWS Account A and the VPCs in AWS Account B and AWS Account C.
- Ensure that the routing between the VPCs is set up correctly.
-
Test the Configuration:
- Verify that traffic from AWS Account A to the specified endpoints is allowed while other traffic is blocked.
- Test that AWS Account C can access the specified endpoints through the peering or connection with AWS Account A.
This setup allows you to control access to specific endpoints from one AWS account to another while allowing access for AWS Account C from AWS Account A for your specified use case. It's essential to follow security best practices and regularly monitor your network firewall rules and policies to maintain a secure configuration.
Please give a thumbs up if my suggestion helps
Hi Gabriel,
I just wanted to highlight here that there is no VPC peering b/w AWS-Accounts A,B or C . They all are independent accounts & moreover it's not needed in our usecase, all communication happens via https calls. Will we still be able to achieve it using AWS-Firewall-Rules ? Thanks a lot.
To restrict certain endpoints from one AWS account to another using AWS Network Firewall, you can follow these steps:
-
Set Up AWS Network Firewall:
- Navigate to the AWS Network Firewall service in the AWS Management Console.
- Create a new firewall or use an existing one.
-
Create a Rule Group:
- In your firewall, create a rule group that will define the rules for traffic filtering.
- Add rules that specify which traffic is allowed and which is denied.
-
Define Rules for Endpoints:
- In your rule group, you'll need to define rules for the specific endpoints you want to restrict.
- Each rule should target the corresponding endpoint (e.g.,
sts.amazonaws.com,rds..amazonaws.com, etc.). - Depending on your use case, you may need to allow or deny traffic to these endpoints.
-
Associate Rule Group with Firewall Policy:
- Create a firewall policy or use an existing one.
- Associate the rule group you created in the previous step with this policy.
-
Associate Firewall Policy with VPC:
- In the AWS Network Firewall console, associate your firewall policy with the VPC that the traffic will pass through.
-
Set Up VPC Route Tables:
- Modify the route tables associated with the VPCs in AWS Account A and Account B.
- For the endpoints you want to restrict, you'll need to route the traffic through the Network Firewall.
-
Configure AWS Account A IAM Role:
- Create an IAM role in AWS Account A that allows communication with Network Firewall.
- Attach a policy to the role that allows necessary actions (e.g.,
network-firewall:AssociateFirewallPolicy, etc.).
-
Configure AWS Account B IAM Role (if applicable):
- If you want AWS Account B to be able to receive traffic from AWS Account A, you'll need to set up appropriate permissions and roles.
-
Testing:
- Test the connectivity between AWS Account A and Account C to ensure it works as expected.
- Test the connectivity between AWS Account A and Account B to ensure that traffic is restricted.
Keep in mind that this is a high-level overview, and there may be additional details and considerations based on your specific use case. Also, make sure to follow AWS best practices and security guidelines when implementing such configurations.
Always consider security implications and test thoroughly in a controlled environment before applying any changes in a production setting.
Relevant content
- asked 2 years ago
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
How these accounts are connected , Are they using Internet connection, Transit gateway or VPC Peering or.. ?