By using AWS re:Post, you agree to the Terms of Use

Questions tagged with Network Security

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Lambda in private subnet cannot reach DynamoDB

Hi! We are working on a POC related to hardening network security & resources. We used as model the reference of Building Basic Web Application, link: [https://aws.amazon.com/getting-started/hands-on/build-web-app-s3-lambda-api-gateway-dynamodb/](), where a Lambda invoke from API Gateway post data in to a DynamoDB table. Here are the changes made: * The lambda was set to be inside the VPC and within a private subnet. * A NAT Gateway was added for internet access and linked to the route table of the private subnet. * A VPC Gateway endpoint was also added so the communication between the lambda and DynamoDB can be done thru the endpoint instead over routes. This endpoint has also been added to the route table of the private subnet. If we take out the lambda out of the VPC and configure it as "NONE" in the VPC settings, it works fine, just as it suppose to work from the reference previously shared. We created another lambda, using the "Hello World" template, we added it to the same VPC and it works fine. The problem here is wih the Lambda that post data in to a DynamoDB table. Error message from Lambda: Task timed out. It seems that the issue is between the communication from Lambda to DynamoDB, since the other Lambda works fine inside the VPC. Any advice? Kinldy/please help! Thank you! ![Reference Architecture](https://repost.aws/media/postImages/original/IMig5QmJK6Re-eqxLh5LLYvQ)
1
answers
0
votes
83
views
asked 2 months ago

AWS S3 port 444 is open to the public internet

Hi, So I got a security assesment from my customer stating a port 444 is open on their S3 buckets. I checked and it is common for all buckets created. The https port 443 is open with bucketname.s3.region.amazonaws.com and the SSL certificate is correct. ![https 443 access is fine](https://repost.aws/media/postImages/original/IMtvcHr-CGTOir32EBcPe3qQ) Now lets see the access on 444 port ![https 444 is SSL error](https://repost.aws/media/postImages/original/IMmU4ewSkpTjy647q55H0gGQ) As you can see, its SSL cert is for *.s3.region.vpce.amazonaws.com So I tried to access the bucketname.s3.region.vpce.amazonaws.com domain and it isn't publicly resolved which is understood since it only needs to be resolved inside a VPC since it is for the VPC endpoint service. ![vpce domain is not resolved](https://repost.aws/media/postImages/original/IMRkVbkp-RRkev2vKmPx0t_g) So I checked the IP with hosts command and apparently my bucket domain name is an alias of s3-r-w.ap-south-1.amazonaws.com with the IP 52.219.156.130 I added it to my hosts file and the SSL for the 444 port with vpce domain works (expected) ![SSL issue is fixed after using vpce domain](https://repost.aws/media/postImages/original/IMt_lIGZ4ERymiPXmpxdHiLQ) Now my question is why does this port exist. While we access it via the VPC endpoint we still access 443 port. So is there a port forwarding while going through VPCE or is this port open for something else. Since S3 has gateway VPC endpoint, does that mean all the publc IPs need to be open? We don't put vpce also in the domain when we call S3 endpoint with VPCE, so does that means there is a domain rewrite also? If someone can let me know how this works, it will be really great. I can also inform my customer as such. Thank you.
0
answers
1
votes
175
views
profile picture
asked 2 months ago