Implementing feature in private subnet
drunktankpink opened this issue · 3 comments
I am looking to implement this where I have private instances within a VPN with no/restricted internet access. Does anyone know if there is a way to keep internet access restricted but allow the HTTPS traffic to required AWS APIs.
Since AWS do not list IAM endpoints/IP addresses specifically, I have just tried pulling the public CIDR blocks used for "AMAZON" services (https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) and adding to a security group and routing traffic out via a NAT gateway but I had no luck (I have allowed all HTTPS access successfully so can confirm the set up is working)
I have not yet added all IP addresses listed for all regions as I feel this would surely get blocked by corporate security as the list is quite extensive, even if it did work.
My next trail of thought is to route traffic on premise and allow all HTTPS traffic for "iam.amazonaws.com" if the proxy allows.
Does anyone know if this would work, or if there is a more efficient method to achieve this?
In general, AWS offers VPC Endpoints for such scenarios (see https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html). Unfortunately, there is no VPC endpoint available for the IAM API yet.
IP-based restrictions are not an option in my opinion. So a proxy whitelisting hostnames is probably is probably the solution that matches your requirements the best.
Have you thought about using Session Manager instead of SSH (see https://cloudonaut.io/goodbye-ssh-use-aws-session-manager-instead/).
I'm closing this issue, as we are not offering AWS consulting via GitHub. ;)
Hi @andreaswittig thanks for your reply. I have looked at Session Manager but unable to use SCP so was not suitable for my needs
I have got this working via a squid proxy in the end using hostname whitelisting as you mentioned