User-specific security group for remote access | by Teri Radichel | Cloud security | November 2022
ACM.114 Create a safety group with the IP tackle of a selected person
This can be a continuation of my collection on Automation of cybersecurity metrics.
Within the final submit, I defined how failure to report bugs causes programs and software program to interrupt.
Now let’s transfer on to deploying a user-specific digital machine on AWS.
We’ve got deployed an EC2 occasion
With a safety group that limits SSH entry from a selected IP tackle:
What when you have plenty of distant customers logging in from completely different IP addresses?
vpn: A typical approach to resolve that downside can be a VPN, since that’s the objective of a VPN. Customers should authenticate themselves earlier than connecting to the community. The IPs allowed to authenticate can come from anyplace. As soon as linked, the IP tackle reported for that person is the VPN, and that VPN has entry to inner networks and sources.
Consumer-specific safety teams: What in case you may prohibit entry to every person primarily based on their very own IP tackle? Then enable that person to connect with a selected host that acts as a bastion host for that person on the community. Then in your logs, you will not see the overall VPN tackle for visitors initiated by that person, you may see the IP tackle of a selected host assigned to a selected person (assuming you observe if hosts go up and down or IP change.)
Let’s have a look at how we will make that work.
Implement a user-specific safety group
We created a CloudFormation template to implement a safety group that enables SSH entry for a single IP or single IP CIDR (a CIDR consisting of the IP tackle with /32 on the finish).
Right here is the code within the deployment script:
Let’s change this to create a safety group for every member of a selected group. Create a operate to retrieve an inventory of customers in a gaggle, and create a safety group for every person.
Name the operate from the deployment script, changing the present code above:
Now now we have an issue. To incorporate customers in a gaggle, community directors (community profile) want permissions to learn customers within the group. We’ll add it to the corresponding IAM coverage.
Deploy the IAM adjustments.
To verify this really works for a number of customers in a gaggle, let’s add yet another developer:
Deploy the brand new developer person.
Replace the group script we created so as to add the brand new person to the group.
Deploy that script and confirm that the person is within the group. You’ll want to totally refresh the teams web page even in case you click on on it from the hyperlink on the customers web page.
Subsequent, run the community deployment.sh script to see if the brand new safety teams are deployed efficiently.
By the way in which, I really created a small take a look at script to check simply this operate reasonably than run all of the community stacks time and again whereas I labored by some bugs.
Test to verify the 4 new teams have been created:
Additionally test that the safety teams have the right guidelines with every person’s IP tackle within the corresponding group guidelines.
Comply with for updates.
teri radichel
If you happen to preferred this story please applaud Y proceed:
**************************************************** ** ****************
Medium: teri radichel o E-mail record: teri radichel
Twitter: @teriradichel both @2ndSightLab
Request companies by LinkedIn: teri radichel both IANS research
**************************************************** ** ****************
© second sight lab 2022
All posts on this collection:
_____________________________________________
Writer:
Cybersecurity for executives in the cloud era on amazon
Do you want cloud safety coaching? 2nd Sight Lab Cloud Security Training
Is your cloud safe? Contract second sight lab for penetration test both security assessment.
Do you could have a query about cybersecurity or cloud safety? Ask teri radichel scheduling a name with IANS research.
Cybersecurity and Cloud Safety Sources by Teri Radichel: Cybersecurity and cloud security classes, articles, white papers, presentations, and podcasts
