Firewall – limit outbound access for an EC2 instance

amazon ec2firewallrouting

Our company is in the process to become PCI compliant and one of the requirement is to limit the outbound access of our servers.
We have only 1 EC2 instance that falls in the PCI scope and I would like to limit outbound internet access to this instance to only the services needed.

Is there anyway to build that? Is a VPC the best option to do it?

Thanks a lot,

Elie

Best Answer

Consider the following:

Security Groups allow you to choose CIDR (ip range) and port. You can restrict outbound access at the Instance level.
Network ACLs allow you to do the same, but at the Subnet level.
You can place a firewall into your network or utilise your NAT device, to control outbound access. This can help with logging which may be a requirement for PCI compliance.
You could employ software firewalls, like iptables for linux which can also assist with logging requirements.

Related Solutions

How to whitelist oubound-from-private-subnet traffic to S3 on the NAT instance of an EC2 VPC

Instead of whitelisting S3 traffic at the NAT instance, I suggest you configure VPC endpoints for S3:

New – VPC Endpoint for Amazon S3 (AWS Blog)
AWS VPC User Guide: VPC Endpoints

That way, your EC2 nodes can access S3 directly on the VPC private network instead of going through the NAT.

If you still want a list of IPs used by S3, you can use the AWS CLI command describe-prefix-lists:

aws ec2 describe-prefix-lists

which will give an output like

{
    "PrefixLists": [
        {
            "PrefixListName": "com.amazonaws.eu-west-1.s3", 
            "Cidrs": [
                "54.231.128.0/19"
            ], 
            "PrefixListId": "pl-6da54004"
        }
    ]
}

The list is for the region used by AWS CLI. My sample shows the current output for eu-west-1, You can specify a different region by passing the --region parameter, e.g. aws --region us-east-1 ec2 describe-prefix-lists.

However, please note that the IP range for a service may change from time to time.

Access Amazon EC2 RDS instance from inside VPC

If your VPC EC2 instances are in private subnets, then to access EC2-Classic, your VPC will need a NAT. Give your NAT an elastic IP address so it's a constant public IP address.

Then in your RDS security group, allow access only for that Elastic IP address.

If your VPC EC2 instances are in public subnets, then you could give each of them elastic IP addresses and allow access to only those IP addresses in your RDS security group. This is more difficult if they are part of auto-scaling groups.

Best Answer

Related Solutions

How to whitelist oubound-from-private-subnet traffic to S3 on the NAT instance of an EC2 VPC

Access Amazon EC2 RDS instance from inside VPC

Related Topic