Questions tagged with Network Security

Is it possible to setup a malware analysis lab in AWS ? If so could you please help me with necessary details ?

Hello, I am trying to deploy Dask cluster on Fargate. I managed to deploy the cluster and also can see the Dask status screen via the public http address, but not able to connect using the tcp channel. I have used this article as reference "https://gist.github.com/jacobtomlinson/ee5ba79228e42bcc9975faf0179c3d1a" and tried several combinations of Inboud/Outbound rules on the security group. I used sage make to create the cluster. Any help will be very much appreciated. Best

I am using athena using JDBC from an external system. To set up the firewall for that external system I need to specify an IP range. The IP range of the Athena service seems to be not listed in the standard list https://ip-ranges.amazonaws.com/ip-ranges.json Where do I find the IP Range used for athena?

Hello! I have recently been experiencing some Error 403 issues with accessing AWS/CloudFront services, and I believe it may be reputation related. Does AWS have a lookup to tool to check for IP reputation on there internal lists? https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html Thanks in advance!

I have an EC2 running Node.js. Using the `aws-sdk` + `winston-cloudwatch` + `nodemailer` dependencies, I am using AWS SES, SNS, and Cloudwatch. In my EC2 security group, my outbound is currently setup for All-traffic; however, I would limit them to a few ports required for the services mentioned above. What outbound ports in my EC2 security group do I need to enable to use the following AWS services: SES SNS Cloudwatch? Thanks!

Hi, I'm wanting to establish connectivity to an RDS instance from some Lambda functions. Lambda functions are autodeployed with serverless framework, so ideally my config would be dynamic. I am currently managing infrastructure with CDK, and have the following resources: 1. RDS on Private Isolated subnet in VPC A, managed by CDK 2. EC2 instance on public subnet in VPC A, managed by CDK (For access to the RDS from the wider internet) 3. (Backend) 4 Lambdas without a VPC (Public), behind an API Gateway in default VPC, managed by serverless deploy 4. Frontend hosted on S3 behind Cloudfront, managed by serverless deploy I'm a bit stumped because I don't want to update my CDK script whenever the lambdas change. Help is much appreciated.

Can we set to Password never expires With EC Instance Windows Server 2016 using puppet script? As per AWS documentation, came to know that With Windows Server 2016 and later, Password never expires is disabled for the local administrator. With Windows Server 2012 R2 and earlier, Password never expires is enabled for the local administrator.

Hello, I am working on improving security compliance in my project and recently I've come across security finding related to network ACL: `[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389`. I've updated my ACLs in the following manner: | Rule Number| Type | Protocol | Port Range | Source | Allow/Deny | | --- | --- | --- | --- | --- | --- | |10 | SSH(22) | TCP(6) | 22 | 0.0.0.0/0 | Deny | | 11 | SSH(22) | TCP(6) | 22 | ::/0 | Deny | | 20 | RDP(3389) | TCP(6) | 3389 | 0.0.0.0/0 | Deny | | 21 | RDP(3389) | TCP(6) | 3389 | ::/0 | Deny | | 100 | All traffic | All | All | 0.0.0.0/0 | Allow | | * | All traffic | All | All | 0.0.0.0/0 | Deny | According to ACL evaluation rules ports 22 and 3389 are blocked, but check still fails. I suppose that it looks only for record that allows for all traffic and ignores the order of the rules. In my opinion the current rule validation is wrong. What are your thoughts on this?

I have used my AWS account many times last week and everything worked fine. Today I wanted to login again, but the login page was not available, showing me this URL: https://us-east-1.console.aws.amazon.com/cost-management/home?region=us-east-1#/startupError?code=_CE_Not_Ready_&title=_CE_Not_Ready_Title_ When I start the VPN connection however, AWS just works fine again. I have no idea why login into the AWS console only works via VPN. It's not laptop related, since I cannot login with my old laptop either. Something seems to fishy with my network / ip address. However, all other webpages are working just fine without VPN connection. Thanks in advance for answering my question.

Hi all. I am trying to configure AWS network firewall using Domain list. I can select the http protocol in the configuration, but http seemed to be inspected regardless of the port because it was inspected even if I used a port other than 80. Is it possible to change/limit the target port?

Hi!, I post this question regarding an issue that happens to us at random times. Maybe someone experienced similar situation or can give us a clue. We have three windows ec2 running inside vpc with internet access that make requests to some public api gateways. We have noticed that at random times (the last issue was April 26 and the previous time was on April 4), all the requests made from the three instances within a range of 5 minutes failed with the message "The request was aborted: Could not create SSL/TLS secure channel" These requests happens almost every minute every day during 12 o 14 hours so it didn´t fail before or after those 5-10 minutes lapse. Its like something happening at api gateway at random times. Can it be that updating api definition with swagger file or deploying to stage may cause this issue? One of the dates matches. We use us-east-1 region and use as endpoint https://xxxxxx.execute-api.us-east-1.amazonaws.com/stagexxx The status page doesn´t show any issues on those days for api gateway service. Thanks in advance

Earlier we have Lets Encrypt SSL. We have purchased a new 1 year ssl for our site. Now nobody able to figure out, how to remove lets encrypt and replace with new alpha SSL.

This happen at aws console. Any clues? Thanks in advance. There was a problem connecting to your instance Log in failed. If this instance has just started up, wait a few minutes and try again. Otherwise, ensure the instance is running on an AMI that supports EC2 Instance Connect.

Currently, a Lambda function uses a VPC to connect to client's server and fetch data. The client will be updating their VPN, and thus, do the VPC settings need to be updated as well? For example, the client is changing the encryption scheme, but I don't see anything related to encryption in VPC?

how can i point a new instance with a domain which is already exist with another ip address in hosting zone? Is that even possible?

I'm new to AWS, and I have one Elastic IP on my account that I'd like to use to establish a VPN connection between my on-premises and AWS accounts. I tried setting up an OPNsense firewall instance and connecting my elastic IP to form a tunnel, but it didn't work? I also tried connecting Elastic IP to a network interface, but it didn't work. I also changed the security groups to allow everything, including all tcp/udp/icmp traffic. I also added routes tables as required.But packet from on prem is ever showed up at aws end. Is there anything I'm missing?

I have been attempting to add Mult-Factor Authentication to my workspaces account for my user base. I have configured the radius server using Free Radius from this post here: https://aws.amazon.com/blogs/desktop-and-application-streaming/integrating-freeradius-mfa-with-amazon-workspaces/ and all goes according to plan. I have the FreeRadius server using LinOTP running. The problem is in the very last step, when I go to enable MFA in workspace , I put in the information and it just says "failed". Specifically, Step 6: Enable MFA on your AWS Directory Communication between the AWS Managed Microsoft AD RADIUS client and your RADIUS server require you to configure AWS security groups that enable communication over port 1812. Edit your Virtual Private Cloud (VPC) security groups to enable communications over port 1812 between your AWS Directory Service IP end points and your RADIUS MFA server. Navigate to your Directory Service console Click the Directory you want to enable MFA on. Select Network & Security tab, scroll down to Multi-factor authentication, click Actions and Enable. In Enable multi-factor authentication (MFA) configure MFA settings: Display label: Example RADIUS server IP address(es): Private IP of the Amazon Linux 2 instance Port: 1812 Shared secret code: the one set in /etc/raddb/clients.conf Confirm shared secret code: as preceding Protocol: PAP Server timeout (in seconds): 30 Max retries: 3 This operation can take between 5-10mins to complete. Once the Radius status is “completed” you can test MFA authentication from the WorkSpace client. I really have two questions: 1. How do I do this part? Edit your Virtual Private Cloud (VPC) security groups to enable communications over port 1812 between your AWS Directory Service IP end points and your RADIUS MFA server. Maybe I'm not setting up the endpoints correctly ? Do I go to the VPC and add endpoints there? CAn you pleae be specific. 2. How do I get more information from just the "failed" in red --- how do I access the creation logs? Thanks in advance, Jon

Hi there, got a SOS issue , its really wired here , all the instance in my vpc/subnet just not able to access internet , i can ssh to the instance via public ip , can do ping google.com and ping 8.8.8.8 but can not use curl/wget/telnet to access any website, when i start a new instance , it was working, but after few minutes its not working again , i have checked everything include , firewall, vpc, subnet, security group, network acl, route table, internet gateway , even swicth to another vpc still not working ... also i have run that network reachable analysis tool , show everything ok ..... please help me thanks

Hello, im stuck in this topic. And i dont find clear information for me to solve it. I have different tasks in a Cluster, each task have one container. One container is a DB and needs to be linked with the other containers. The Tasks are in Bridge mode and in the same VPC. But seems like they are not getting link or connected. I still recieve error from one container to reach the DB. Can any one tell me if I should do something else to connect them? Thanks

I'm wanting to send UDP traffic to an EC2 host in the same VPC as an ECS instance and I can only get it to work by testing with allowing all source IPs in the security group for the EC2 instance. With RDS it's always worked fine to use the RDS instance's security group ID as source in the ECS container's security group, but that isn't working here, where I'd use the ECS container's SG as source for the UDP port in the EC2 instance's SG. I tried using something like 172.30.0.0/16 to allow all VPC traffic, but that doesn't work either. Are ECS instances in my VPC? Thanks for any help.

Has anybody had experience with the Amazonbot web crawler? (especially with it looking like a DOS incident) We have a client where their service (hosted on AWS) kept going down until we identified an unusual amount of traffic from an Amazonbot with the User-Agent of "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML\, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)", after blocking it at an Application Load Balancer level via User-Agent Header rules (since modifying the "robots.txt" did not work / wasn't read) the response time of the clients service dropped significantly and has remained up. If anybody knows what generally causes Amazonbot to crawl sites, or how I can identify the cause for this specific client's site, that would be extremely useful, cheers.

I'm using WorkSpaces Web (not WorkSpaces!) with an S3 VPC endpoint. I would like to be able to restrict S3 access via the S3 endpoint policy to only the buckets required by WorkSpaces Web. I cannot find any documentation with the answers, and AWS support does not seem to know what these buckets are. How can I find out what buckets the service is talking to? I see the requests in VPC flow logs, but that obviously doesn't show what URL or bucket it is trying to talk to. I have tried the same policy used for WorkSpaces (below), but it was not correct (or possibly not enough). I have confirmed that s3:GetObject is the only action needed. ``` { "Version": "2008-10-17", "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::aws-windows-downloads-us-east-1/*", "arn:aws:s3:::amazon-ssm-us-east-1/*", "arn:aws:s3:::amazon-ssm-packages-us-east-1/*", "arn:aws:s3:::us-east-1-birdwatcher-prod/*", "arn:aws:s3:::aws-ssm-distributor-file-us-east-1/*", "arn:aws:s3:::aws-ssm-document-attachments-us-east-1/*", "arn:aws:s3:::patch-baseline-snapshot-us-east-1/*", "arn:aws:s3:::amazonlinux.*.amazonaws.com/*", "arn:aws:s3:::repo.*.amazonaws.com/*", "arn:aws:s3:::packages.*.amazonaws.com/*" ] } ] } ```

Hi, where can we find the IPs of the Amazon EKS service? I want to correctly identify a CloudTrail event with the name GetCallerIdentity that is made by the EKS. [EKS docs](https://docs.aws.amazon.com/eks/latest/userguide/cluster-auth.html) specifies the existence of such event, but on [AWS IP ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html) there is no EKS service. Insted the IP is in AMAZON and EC2 CIDR like any other EC2 ip. Thank you!

i am confuse AWS network firewall and peering section. As per AWS documents, it said **AWS Network Firewall cannot be deployed to inspect traffic between VPCs that are peered together; ** i did vpc peering VPC 1 (10.1.1.0/16)and VPC2 ( 10.2.1.0/16). VPC 1 have one private subnet ( 10.1.2.0/24) behind the firewall VPC 2 have one private subnet ( 10.2.2.0/24) behind the firewall I have the one private route table destination 10.2.2.0/24 next hop is firewall ID or interface in VPC 2. I add one route to go 10.2.2.0/24 next hop is peer ID in VPC one private route. I have the one private route table destination 10.1.2.0/24 next hop is firewall ID or interface in VPC 1. I add one route to go 10.1.2.0/24 next hop is peer ID in VPC 2. let me know this traffic will pass firewall ? If AWS firewall is didn't support to inspect network traffic if we are using peering ? can we use third party firewall to inspect traffic?

We have a use-case. Our website is hosted on AWS and have rules at cloud front that states requests with specific IP range should be pass through CDN and documents will serve. Now, there are certain documents that user view under google docs viewer say, https://docs.google.com/viewer?url=https://{{siteUrl}}/{{documentPath}} . As documents are hosted on same site which is behind the VPN, user not able to view the documents. Any solution on how we can enable the view of documents, that will be requested by docs.google.com or how how we can allow docs.google.com in aws cloudfront/alb. Thanks

Hello AWS Community I have an issue with the initial configuration on a Cisco FTDv Firewall FDM, pretty much the issue is that I cannot seem to receive the traffic on the FTDv when I try to reach any Public addresses , a little bit about the setup 4 Interfaces (Inside, Outside, MGMT and Diagnostic) From the FTDv directly I can ping google(8.8.8.8) without issues From the subnets on AWS I can ping all interfaces of the FTDv, but not to google or any public subnet. I did a packet tracer test on the FIrewall simulating any of the servers I have on AWS and traffic is allowed correctly. However I never see the attempts reaching the FTD when I ping google or any public IP if I do it from the servers on the AWS VPC. In the VPC my next hop for 0.0.0.0/0 is the Inside Interface NIC of the FTDv PD: I do see the traffic of the servers in the Inside interface when I ping the interfaces of the FTDv since those are working fine. but not when I ping anything Public. I also setup a capture on the FTDv and I never see attempts of the internal servers only when try to reach anything Public. Seems like an issue between the FTDv and AWS Vpc Hoping somebody has some insight on it Thanks in Advance

I have a script (unchanged in 4 years) that has been used to access an API that is behind an https URL. It is used each Jan-Feb. My AWS server is an EC2 dedicated server. This year, I suddenly find that script is not working (cannot verify certificate). (It is a perl script using HTTP::Request in the LWP family. And yes, the LWP::Protocol::https module is appropriately installed, along with SSLeahy.) I've checked the target site with my browser and with online cert checkers, and it is fine. So I'm pretty sure the problem is the expiration of openssl 1.0.2 last September. The target site is probably using only the 1.3 protocol version. However, my efforts to find a way to upgrade to openssl 1.1.1 have been unsuccessful. I found a note that AWS had posted the package openssl11, but when I try to get that using "sudo yum install," it doesn't find the package. So how do I get the new version installed on my EC2 server? Help please! This is an urgent issue.

I am running a simple application on EC2 instance i-013ee4eb93134eb24. I have added a rule for a port in the security group. I am able to access that port/application from my computer (used for EC2 configuration) but not able to access from any other device.

We have created a VPC and enabled the ipv6 CIDR. We have created 2 subnets one in each AZ. Created the ipv6 cidr and auto assign is also enabled. Security group is created and with ICMP6 to be available for ::0/ traffic. Also within the same security group all traffic is enabled. We created 2 EC2 instances one in each AZ and checked from within the OS both are getting the ipv6 address assigned . We added a route like below in both the EC2 instances. ip -6 r a <IPv6-VPC-CIDR> dev eth0 proto kernel metric 256 pref medium Now when we try to ping ipv4 address from each other instance it works fine. but when we try to ping ipv6 address it does not work. No output is there. kindly let us know if we are missing anything here.

Hi Team, I have an application VPC with two private Subnets in the same Availability Zone. Subnet A contains multiple EC2 instances. Subnet B is a transit gateway subnet that connects to a firewall VPC that contains a firewall appliance to analyze and control network traffic. In this example the firewall VPC will be a hub and spoke model. To enhance security I would like all traffic that goes between EC2 instances inside Subnet A to be routed to the firewall VPC for inspection. The firewall appliance would need to remain inside the firewall VPC. Is this type of configuration possible?

Hi, I just got locked out of my lightsail instance after installing OpenSSL without keeping the Port 22 Open,Now I'm not able to access my instance's FTP or SSH, Is there any possible way to recover the access or allow the port without SSH.