Firewall – EC2 Security Group, restrict inbound access by hostname

amazon ec2amazon-web-servicesfirewallwhitelist

I have written a web hook for PayPal IPN and I only want to allow access from PayPal servers on Port 80/443 to the EC2 instance hosting the end point.

In the EC2 security group console I can only filter by IP/Range. This isn't adequate as PayPal say they change IP address randomly and without no notice, so one must use the hostnames.

I've seen answers here that recommend widening the IP Block etc but no real direct solution. One proposed solution was to update the Security Group using the AWS API.

Is this the best option? What I could do is have a scheduled task to compare the current IP that the PayPal host resolves to the last known IP address. If they are different, then update the AWS EC2 group.

I would run that task on the same machine, because hey, if the machine stops then access to the endpoint won't be available anyway.

Is this the most appropriate solution? I will do the same for my home where I have a similar problem.

Best Answer

Does the filtering have to be done at the AWS level. You could add an additional software firewall on the instance (or as another instance between the IGW and the instance), Pfsense should allow firewall blocking based on hostname.

Related Solutions

Is it possible to update an existing EC2 security group from CloudFormation

Existing SecurityGroups can be updated using SecurityGroupIngress

For example:

"SecurityGroupRedisIngress": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties" : {   
        "GroupId": "sg-123456789",
        "IpProtocol": "tcp",
        "FromPort": "6379",
        "ToPort": "6379",
        "CidrIp": "1.2.3.4/0"
    }
}

How EC2 Security Group uses group id as the value in the source column

AWS security groups work as whitelists: each line is a permissive rule. Anything that is not allowed, is denied, yet what is allowed, is allowed, you can't override that in any other rule.

Roughly, security groups can allow specific inbound traffic from:

a given IP address or IP address range;
all instances that are assigned a given security group.

Unfortunately, you can not specify anything more complex, like "allow access from any instance that does not have a public IP" - you can only specify a source security group. As you correctly assumed, security groups listed in Source field can be regarded as labels.

So, in your case, configuration should be as follows:

EC2 instances with Web applicationsh should have sg-public-group;
EC2 instance with DB should have sg-db-group and sg-private-group;
EC2 instances that require access via SSH from internal subnet only should have sg-access-group (yet you still need to think how to access those instances you are planning to access from).

sg-access-from should be set up to allow connections via 22/TCP from EC2 instances that belong to sg-private-group. However, it is going to be your responsibility to make sure that all EC2 instances belonging to sg-private-group indeed do not have any public IP addresses.

For more detail look at AWS Security Groups document:

For each rule, you specify the following:

Protocol: The protocol to allow. The most common protocols are 6 (TCP) 17 (UDP), and 1 (ICMP).

Port range : For TCP, UDP, or a custom protocol, the range of ports to allow.

ICMP type and code: For ICMP, the ICMP type and code. Source or destination: The source (inbound rules) or destination (outbound rules) for the traffic. Specify one of these options:

An individual IPv4 address. You must use the /32 prefix after the IPv4 address; for example, 203.0.113.1/32.

(VPC only) An individual IPv6 address. You must use the /128 prefix length; for example 2001:db8:1234:1a00::123/128.

A range of IPv4 addresses, in CIDR block notation, for example, 203.0.113.0/24.

(VPC only) A range of IPv6 addresses, in CIDR block notation, for example, 2001:db8:1234:1a00::/64.

Another security group. This allows instances associated with the specified security group to access instances associated with this security group. This does not add rules from the source security group to this security group. You can specify one of the following security groups:

The current security group.

EC2-Classic: A different security group for EC2-Classic in the same region.

EC2-Classic: A security group for another AWS account in the same region (add the AWS account ID as a prefix; for example, 111122223333/sg-edcd9784).

EC2-VPC: A different security group for the same VPC or a peer VPC in a VPC peering connection.

Best Answer

Related Solutions

Is it possible to update an existing EC2 security group from CloudFormation

How EC2 Security Group uses group id as the value in the source column

Related Topic