By using AWS re:Post, you agree to the Terms of Use
/Security Group/

Questions tagged with Security Group

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

3
answers
0
votes
31
views
asked 6 days ago

Elastic BeanStalk can't connect to ElastiCache Redis

I'm having issues connecting from Elastic BeanStalk to ElastiCache Redis. When I SSH into the EBS instance and try to use redis-cli to connect, it times out. This is how I set up my environment: I have an existing VPC with two subnets. I created a Security Group specifically for this that has an Inbound rule for IPv4, Custom TCP, port 6379, source 0.0.0.0/0 I created an ElastiCache Redis cluster with the following relevant parameters: Cluster mode: disabled * Location: AWS Cloud, Multi-AZ enabled * Cluster settings: number of replicas - 2 * Subnet group settings: existing subnet group with two associated subnets * Availability Zone placements: no preference * Security: encryption at rest enabled, default key * Security: encryption in transit enabled, no access control * Selected security groups: the one I described above As for the EBS environment, it has this configuration: * Platform: managed, Node.js 16 on Amazon Linux 2 5.5.3 * Instance settings: Public IP address UNCHECKED, both Instance subnets checked * Everything else left default After getting all of that set up, I would SSH into the EBS instance and follow the directions here to install redis-cli and try to connect: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/GettingStarted.ConnectToCacheNode.html I've tried using the Primary endpoint, the Reader endpoint, and all of the individual node endpoints, but I get a timeout error for all of them. Is there some configuration that I'm missing?
1
answers
0
votes
49
views
asked 22 days ago

EMR Serverless IPV6 connectivity issue in private subnet VPC

Hi, I have just been fiddling in EMR Serverless recently from this week after GA Release. I found that I am not able to download my AWS S3 jar files if I try to run EMR Serverless job from private VPC subnet. I have already tested the connectivity from EC2 using same subnet and same security group but the problem exist only in EMR Serverless Job. From the error logs I can see it is trying to connect to Spark IPV6 address which I am not sure why it is not connecting. Region: ap-northeast-1 Subnet: ap-northeast-1a (I have tried other subnets too) Here are my tail logs: ``` 22/06/03 19:08:42 INFO SparkContext: Added JAR file:/tmp/spark-cdc6b2aa-657b-4464-b7d8-3cbe2fea3872/xbean-asm9-shaded-4.20.jar at spark://[2406:da14:5a:5a01:41a7:4134:a18b:f5f8]:42539/jars/xbean-asm9-shaded-4.20.jar with timestamp 1654283322058 22/06/03 19:08:42 INFO SparkContext: Added JAR file:/tmp/spark-cdc6b2aa-657b-4464-b7d8-3cbe2fea3872/xz-1.8.jar at spark://[2406:da14:5a:5a01:41a7:4134:a18b:f5f8]:42539/jars/xz-1.8.jar with timestamp 1654283322058 22/06/03 19:08:42 INFO SparkContext: Added JAR file:/tmp/spark-cdc6b2aa-657b-4464-b7d8-3cbe2fea3872/zookeeper-3.6.2.jar at spark://[2406:da14:5a:5a01:41a7:4134:a18b:f5f8]:42539/jars/zookeeper-3.6.2.jar with timestamp 1654283322058 22/06/03 19:08:42 INFO SparkContext: Added JAR file:/tmp/spark-cdc6b2aa-657b-4464-b7d8-3cbe2fea3872/zookeeper-jute-3.6.2.jar at spark://[2406:da14:5a:5a01:41a7:4134:a18b:f5f8]:42539/jars/zookeeper-jute-3.6.2.jar with timestamp 1654283322058 22/06/03 19:08:42 INFO SparkContext: Added JAR file:/tmp/spark-cdc6b2aa-657b-4464-b7d8-3cbe2fea3872/zstd-jni-1.5.0-4.jar at spark://[2406:da14:5a:5a01:41a7:4134:a18b:f5f8]:42539/jars/zstd-jni-1.5.0-4.jar with timestamp 1654283322058 22/06/03 19:08:42 INFO SparkContext: Added JAR s3://datalake-cbts-test/spark-jobs/app.jar at s3://datalake-cbts-test/spark-jobs/app.jar with timestamp 1654283322058 22/06/03 19:08:42 INFO Executor: Starting executor ID driver on host ip-10-0-148-61.ap-northeast-1.compute.internal 22/06/03 19:08:42 INFO Executor: Fetching spark://[2406:da14:5a:5a01:41a7:4134:a18b:f5f8]:42539/jars/protobuf-java-2.5.0.jar with timestamp 1654283322058 22/06/03 19:08:43 ERROR Utils: Aborting task java.io.IOException: Failed to connect to /2406:da14:5a:5a01:41a7:4134:a18b:f5f8:42539 at org.apache.spark.network.client.TransportClientFactory.createClient(TransportClientFactory.java:288) at org.apache.spark.network.client.TransportClientFactory.createClient(TransportClientFactory.java:218) at org.apache.spark.network.client.TransportClientFactory.createClient(TransportClientFactory.java:230) at org.apache.spark.rpc.netty.NettyRpcEnv.downloadClient(NettyRpcEnv.scala:399) at org.apache.spark.rpc.netty.NettyRpcEnv.$anonfun$openChannel$4(NettyRpcEnv.scala:367) at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23) at org.apache.spark.util.Utils$.tryWithSafeFinallyAndFailureCallbacks(Utils.scala:1508) at org.apache.spark.rpc.netty.NettyRpcEnv.openChannel(NettyRpcEnv.scala:366) at org.apache.spark.util.Utils$.doFetchFile(Utils.scala:763) at org.apache.spark.util.Utils$.fetchFile(Utils.scala:550) at org.apache.spark.executor.Executor.$anonfun$updateDependencies$13(Executor.scala:962) at org.apache.spark.executor.Executor.$anonfun$updateDependencies$13$adapted(Executor.scala:954) at scala.collection.TraversableLike$WithFilter.$anonfun$foreach$1(TraversableLike.scala:985) at scala.collection.mutable.HashMap.$anonfun$foreach$1(HashMap.scala:149) at scala.collection.mutable.HashTable.foreachEntry(HashTable.scala:237) at scala.collection.mutable.HashTable.foreachEntry$(HashTable.scala:230) at scala.collection.mutable.HashMap.foreachEntry(HashMap.scala:44) at scala.collection.mutable.HashMap.foreach(HashMap.scala:149) at scala.collection.TraversableLike$WithFilter.foreach(TraversableLike.scala:984) at org.apache.spark.executor.Executor.org$apache$spark$executor$Executor$$updateDependencies(Executor.scala:954) at org.apache.spark.executor.Executor.<init>(Executor.scala:247) at org.apache.spark.scheduler.local.LocalEndpoint.<init>(LocalSchedulerBackend.scala:64) at org.apache.spark.scheduler.local.LocalSchedulerBackend.start(LocalSchedulerBackend.scala:132) at org.apache.spark.scheduler.TaskSchedulerImpl.start(TaskSchedulerImpl.scala:220) at org.apache.spark.SparkContext.<init>(SparkContext.scala:582) at org.apache.spark.SparkContext$.getOrCreate(SparkContext.scala:2694) at org.apache.spark.sql.SparkSession$Builder.$anonfun$getOrCreate$2(SparkSession.scala:949) at scala.Option.getOrElse(Option.scala:189) at org.apache.spark.sql.SparkSession$Builder.getOrCreate(SparkSession.scala:943) at np.com.ngopal.spark.SparkJob.getSession(SparkJob.java:74) at np.com.ngopal.spark.SparkJob.main(SparkJob.java:111) ``` Thanks
1
answers
0
votes
50
views
asked a month ago

Adding custom cidr to ingress security group using Lambda without default vpc

Hello all! I have been searching the internet for this but I didn't exactly find a solution. Basically I am trying to add custom cidr ips to a security group via lambda function. I have given all the appropriate permissions (as far as i can tell) . I even tried attaching the vpc (which is non-default) to the lambda function to access the security group but the error was the same so i removed it from lambda function. But I am getting "An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user" **Below is the Policy:** ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:AuthorizeSecurityGroupIngress", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:us-west-2:xxxx:log-group:xxx:log-stream:*" } ] } ``` **Lambda function:** ``` #!/usr/bin/python3.9 import boto3 ec2 = boto3.client('ec2') def lambda_handler(event, context): response = ec2.authorize_security_group_ingress( GroupId='sg-xxxxxxx' IpPermissions=[ { 'FromPort': 443, 'IpProtocol': 'tcp', 'IpRanges': [ { 'CidrIp': '1x.1x.x.1x/32', 'Description': 'adding test cidr using lambda' }, ], 'ToPort': 443 } ], DryRun=True ) return response ``` Could someone point me to the right direction? VPC is non-defaul. All I need is to add ingress rule to an existing security group within a non-default vpc. **The error log:** ``` Test Event Name snstest Response { "errorMessage": "An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user", "errorType": "ClientError", "requestId": "7de9dce1-f2f9-4609-897e-b75ef751544e", "stackTrace": [ " File \"/var/task/lambda_function.py\", line 21, in lambda_handler\n response = ec2.authorize_security_group_ingress(\n", " File \"/var/runtime/botocore/client.py\", line 391, in _api_call\n return self._make_api_call(operation_name, kwargs)\n", " File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call\n raise error_class(parsed_response, operation_name)\n" ] } Function Logs START RequestId: 7de9dce1-f2f9-4609-897e-b75ef751544e Version: $LATEST [ERROR] ClientError: An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user Traceback (most recent call last):   File "/var/task/lambda_function.py", line 21, in lambda_handler     response = ec2.authorize_security_group_ingress(   File "/var/runtime/botocore/client.py", line 391, in _api_call     return self._make_api_call(operation_name, kwargs)   File "/var/runtime/botocore/client.py", line 719, in _make_api_call     raise error_class(parsed_response, operation_name)END RequestId: 7de9dce1-f2f9-4609-897e-b75ef751544e REPORT RequestId: 7de9dce1-f2f9-4609-897e-b75ef751544e Duration: 213.81 ms Billed Duration: 214 ms Memory Size: 128 MB Max Memory Used: 77 MB Request ID 7de9dce1-f2f9-4609-897e-b75ef751544e ```
3
answers
0
votes
57
views
asked 2 months ago

Security group appears to block certain ports after google-authenticator mis-entries

I run a small server providing web and mail services with a public address. I was planning on upgrading from a t2 small to a t3 small instance so I began testing the new environment using ubuntu 20.04. The new instance is running nginx, postfix, dovecot and has ports 22,25,80,443,587 and 993 open through two security groups assigned. I wanted to test a user which used only google-authenticator with pam/sshd to log in (no pubkey, no password). What I discovered was that after two sets of failed login attempts (intentional), my connection to the server would be blocked and I would receive a timed out message. Checking the port status with nmap shows that ports 22,80 and 443 were closed. and the remaining still open. I can still reach all the ports normally from within my vpc, but from outside, the ports are blocked. Restarting the instance or reassigning the security groups will fix the problem. Also, after about 5 minutes, the problem resolves itself. It appears that the AWS security group is the source of the block, but I can find no discussion of this type of occurrence. This isn't critical, but a bit troubling, because it opens a route for malicious actions that could block access to my instance. I have never experienced anything like this in about 7 years of running a similar server, though I never used google-authenticator with pam/sshd before. Do you have any ideas? I'd be happy to provide the instance id and security groups if needed.
1
answers
0
votes
10
views
asked 3 months ago

EC2 Instance Status Check fails when created by CloudFormation template

I have created a CloudFormation Stack using the below template in the **us-east-1** and **ap-south-1** region AWSTemplateFormatVersion: "2010-09-09" Description: Template for node-aws-ec2-github-actions tutorial Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Sample Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: "ami-0d2986f2e8c0f7d01" #Another comment -- This is a Linux AMI InstanceType: t2.micro KeyName: node-ec2-github-actions-key SecurityGroups: - Ref: InstanceSecurityGroup BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 8 DeleteOnTermination: true Tags: - Key: Name Value: Node-Ec2-Github-Actions EIP: Type: AWS::EC2::EIP Properties: InstanceId: !Ref EC2Instance Outputs: InstanceId: Description: InstanceId of the newly created EC2 instance Value: Ref: EC2Instance PublicIP: Description: Elastic IP Value: Ref: EIP The Stack is executed successfully and all the resources are created. But unfortunately, once the EC2 status checks are initialized the Instance status check fails and I am not able to reach the instance using SSH. I have tried creating an Instance manually by the same IAM user, and that works perfectly. These are the Policies I have attached to the IAM user. Managed Policies * AmazonEC2FullAccess * AWSCloudFormationFullAccess InLine Policy { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetRole", "iam:GetInstanceProfile", "iam:DeleteRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:CreateRole", "iam:DeleteRole", "iam:UpdateRole", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListAllMyBuckets", "s3:CreateBucket", "s3:DeleteObject", "s3:DeleteBucket" ], "Resource": "*" } ] } Thanks in advance for helping out. Have a good day
1
answers
0
votes
13
views
asked 3 months ago
2
answers
0
votes
73
views
asked 4 months ago

What is Best Practice configuration for a SECURE single user WorkSpaces VPC?

I am a one-person business looking to set up a simple VPC for access to a virtual Windows desktop when I travel from the US to Europe. My trips are 1-3 months in duration, and I'd like to carry just my iPad or a Chromebook rather than a full laptop. This is easier and more secure if my desktop is in the AWS cloud. I am a bit of a network novice and my prior experience with AWS has been only with S3 buckets. From reading the AWS docs, I have learned how to create a VPC, with subnets and a Simple AD. I can spin up a workspace and access it. However, I am unsure about what additional steps, if any, I should take to *secure* my WorkSpaces environment. I am using public subnets without a NAT Gateway, because I only need one workspace image and would like to avoid paying $35+ per month for the NAT just to address one image. I know that one of the side benefits of using a NAT Gateway is that I get a degree of isolation from the Internet because any images behind a NAT Gateway would not be directly reachable from the Internet. However, in my case, my workspace image has an assigned IP and is *not* behind a NAT Gateway. My questions are: 1. Am I taking unreasonable risks by placing my WorkSpaces in a public subnet, i.e., by not using a NAT Gateway? 2. Should I restrict access using Security Group rules, and if so, how? 3. Are there other steps I should take to improve the security of my VPC? I want to access my WorkSpace using an iPad, so I can't use certificate-based authentication. I don't know if I could easily use IP restriction, because I don't know in advance the IP range I would be in when I travel. PLUS, as you can probably tell, I'm confused about what I need to secure - the workspace image, my Simple Directory instance, or both? I'm having a hard time finding guidance in the AWS documentation, because much of the docs are oriented toward corporate use cases, which is understandable. The "getting started" documentation is excellent but doesn't seem to touch on my questions. Thanks in advance for any answers or documentation sources you provide!
3
answers
0
votes
13
views
asked 4 months ago

Outbound Ports 80 and 443 being blocked from instance

So, this has been keeping me busy for the past couple of days. Started when I was troubleshooting the Paypal integration -- which is used only a couple of times a year when registration opens for an event. It worked fine in October, but suddenly it stopped working. I quickly figured out that the reason was that I couldn't connect to Paypal via port 443. Upon further testing, I discovered I couldn't connect to *anything* on port 80 or 443. Outbound SSH, FTP, and SMTP work fine from this instance. I checked the ACLs for the VCP, which are allow any/any. I checked my security group, which is also set to outbound any/any. As a note, *inbound* HTTP and HTTPS both work just fine -- the website is still up. Just that when I try to connect to anything else, even as root, it fails. I have checked the configuration of the server, and there's nothing in iptables, and the Ubuntu firewall is disabled. The server can connect to its own internal IP on port 80, but not its external IP. I have another instance running, and on that instance I can connect to its internal IP on port 80, but not its external IP. Reassociating the server with a different elastic IP gives the same behavior. The other server can reach the Internet just fine on ports 80/443. Things I have tried: 1. tcptraceroute fails immediately on the first hop. 2. All other ports that I have tried work fine. Just 80 and 443 seem to be affected. 3. The behavior started sometime in the last 3 months. 4. tcpdump sees the SYN packets going outbound and supposedly leaving the interface. So far, the only things I can think of that are consistent with the behavior: 1. The server has been compromised, or something got installed that is trying to capture/redirect all 80/443 traffic, but I can't think of anything or think where it would be. It would have to be intercepted at the kernel level for tcpdump to see the SYN packets and think they are going out of eth0. I'm not sure how to prove a negative here. I may try creating a new instance using this server's volume and see what happens there. 2. Something associated with this particular instance is blocking outbound traffic, possibly upstream of us. Does anyone know of any settings I haven't mentioned that would relate to this? Any ideas are appreciated!
2
answers
0
votes
122
views
asked 5 months ago

EC2 in IPv6 VPC unreachable from outside - why?

Hi all, I have an IPv6 capable (t2.small) test server running Ubuntu 16.04.1 set up in the eu-west-1 area. The VPC has an IPv6 allocation, and subnets have IPv6 /64s, too. The NAT Internet Gateway is set up as well an an IPv6 Egress Internet Gateway, both set up in the main route table for the 0.0.0.0/0 and ::/0 prefixes, respectively. The network ACLs associated with the subnets allow for both incoming and outgoing traffic from and to ::/0. Similarly, the Security Group associated with the instance permits incoming traffic from ::/0 to tcp:80, tcp:443 and any incoming IPv6 ICMP traffic from ::/0. The network interface attached to the VM has an permanently assigned IPv6 (2a05:d018:n:n::23) address. From the running instance, I can see via tcpdump that IPv6 traffic is flowing neatly, e.g. ``` 10:56:42.285595 IP6 2a05:d018:n:n::23.123 > 2001:67c:1560:8003::c7.123: NTPv4, Client, length 48 10:56:42.296728 IP6 2001:67c:1560:8003::c7.123 > 2a05:d018:n:n::23.123: NTPv4, Server, length 48 ``` However, trying to access the server by its IPv6 address from the Internet - either by means of pinging through a looking glass such as <https://www.sprint.net/lg/lg_start.php> or by trying to access the website from home (with long-time working, afaik filterless IPv6 connectivity) fails. A tracepath6 breaks off some perceived hops before the machine: ``` 9: 2600:9000:eee::1c7 40.986ms asymm 18 10: 2a01:578:0:10::c 40.118ms asymm 17 11: no reply 12: 2a01:578::1 40.245ms asymm 14 13: no reply 14: 2a01:578::13 41.313ms 15: 2a01:578:0:10::8 41.910ms asymm 12 ``` and both ping and http requests do not even show up in the VM's tcpdump. I'm currently stuck in seeing which option I may have missed, or what causes the connectivity to fail. Any eye-opening assistance would be appreciated. Best regards Dominik
9
answers
0
votes
58
views
asked 5 years ago
  • 1
  • 90 / page