Geolocation for EC2 Instance Security Groups Inbound Rules



Small AWS environment with about 15 EC2 Windows and Linux instances for testing purposes. We turn on some instances (once or twice a week) as required and RDP/Putty into them from our home locations. I've setup Security Groups with inbound rules to block all ports except the required one so we can access the instances only on those ports. I would like to specify geolocations as the source for those Inbound rules instead of Is that possible? I've looked at CloudFront, WAF and Route 53 but those seems to be for web applications, not RDP or Putty. I know I can setup a VPN on a Linux machine or use port-knocking to filter the traffic but that would require a machine/instance to be up 24x7 and that would not be cost effective. Thanks in advance.

asked 4 months ago203 views
3 Answers

Hi, this is Abhi from AWS.

Instead of focussing on a way to Geo identify source IP addresses and then allowing/denying connections from them, I would recommend using Session Manager to SSH into Linux instances and RDP into Windows instances.

  1. For Linux: Session Manager can be configured to connect to remote instance using Secure Shell(SSH) without opening inbound port or maintaining bastion host. You can also copy files between local and remote machine using Secure Copy Protocol(SCP). This feature uses public SSM document AWS-StartSSHSession.
  2. For Windows: You can tunnel Remote Desktop Protocol (RDP) using Port Forwarding feature of Session Manager to get access to remote Windows instance. This can be achieved without opening inbound port 3389 (default RDP port) on remote instance.
profile pictureAWS
answered 4 months ago
  • This is the approach I would recommend

  • For Windows, System Manager Fleet Manager is also a secure RDP option.


There's an interesting approach here - It leverages a WAF with geo rules, making requests on it from a Lambda not to get access to the API GW behind it, but to test whether the request will be allowed or not. The Lambda is called as part of connection to AWS Client VPN which, as a managed service, doesn't require an EC2 instance.

answered 4 months ago

You could roll your own by scripting something to dynamically update the IP addresses in the security group rule.

On Linux (no idea about Windows, sorry) get the IP that your ISP has given you with dig +short

And then use AWSCLI to add that to a security group rule allowing ingress from your IP on ports 22 & 3389

Right away I can see a couple of problems with this: (i) you are going to need AWS Access Keys on your local machine at home, even if these just have barely enough privileges to only update the security group it may still breach your organisation's security policies; and (ii) a security group can have a maximum of 60 inbound rules (though you can get this increased) so depending on how often your (and your colleagues') IP addresses change you may find this quickly gets filled up.

Leveraging some other tools might help (I'm going to think in terms of Terraform here but there's probably a way of doing it in CloudFormation), plug your IP from the dig command into a variable in a file (overwriting yesterday's value), commit & push that up to a git repo and then apply the change to the AWS config (automate this using a runner) getting keys from Hashicorp Secrets Manager so no secrets ever leak onto your device at home.

profile picture
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions