1 Answer
- Newest
- Most votes
- Most comments
0
Hello.
Amplify hosts its applications on CloudFront and S3, so I think it's difficult to narrow it down to a specific IP address.
So, although I have not tried it, it may be possible to allow only Amplify by restricting the connection source host on the Apache side using something like "Require host".
[edit]
Since there is a managed prefix list for S3, it may be possible to use this to restrict it with security groups.
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html
Please check the following document for settings to allow prefix lists in security groups.
https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists-referencing.html#prefix-list-vpc-security-group
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 22 days ago
- AWS OFFICIALUpdated 2 years ago
Thank you Riku for your answer.
I tried using only the managed prefix lists for Cludfront (com.amazonaws.global.cloudfront.origin-facing) and S3 (com.amazonaws.eu-north-1.s3) as the inbound rules for the Security Group for the Load Balancer for the EC2 Instance, but it doesn't work. It won't let traffic through from the Amplify app.
I did set up a Load Balancer and Web ACL when I found the previous answer I linked in my original question. Through the Web ACL logging, I can see the IP addresses that are used by the Amplify App. If I put a CIDR group containing those IPs in the inbound rules for the Security Group, the requests are allowed through. I suspect those IP ranges might change though. Is there a way to use something like the ARN of my Amplify App to identify where the requests are coming from?
If I temporarily allow all incoming traffic to the Load Balancer, I can compare the logs in the Web ACL for different requests. If I compare the requests that are coming from Amplify and a request I manually make from my browser, the only differences I can see are httpRequest.clientIp, httpRequest.headers and httpRequest.requestId. No trace of the ARN in those logs. Is there another way to limit the traffic?
As far as I know, there is no function to identify the sender's IP address etc. from ARN.