Misc

Created by

Ivan

Cards (37)

Bastion Hosts
• We can use a Bastion Host to SSH into our private EC2 instances.
• The bastion is in the public subnet which is then connected to all other private subnets.
• Bastion Host, has its own security group, must allow inbound from the internet on port 22 from restricted CIDR, e.g. the public CIDR of your corporation.
• Security Group of the private EC2 Instances must allow SSH access, on the port 22 again, the SG of the Bastion Host, or the private IP of the Bastion host. This is equivalent.
Why does an EC2 instance in the public subnet, our bastion host, have access to the EC2 instance in our private subnet?
Because everything is in our VPC.
VPC Peering

• Privately connect two VPCs using AWS’ network.
• Make them behave as if they were in the same network.
• Must not have overlapping CIDRs.
• VPC Peering connection is NOT transitive (must be established for each VPC that needs to communicate with one another).
• You must update route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other.

If VPCs A -> B, and B -> C are peered, doesn't automatically mean A - C is; that needs its own peering enabled.
VPC Peering is a VPC-to-VPC connection that allows traffic to flow between VPCs.
Security Groups & NACLs
Evaluating - yes or no?
A) Yes
B) Yes
C) No
D) Yes
E) Yes
F) Yes
G) Yes
H) No
Default NACL

• Accepts everything inbound/outbound with the subnets it’s associated with.
• Do NOT modify the Default NACL, instead create custom NACLs.
Ephemeral Ports

• For any two endpoints to establish a connection, they must use ports.
• Clients connect to a defined port, and expect a response on an ephemeral port.

• Different Operating Systems use different port ranges, examples:
•• IANA & MS Windows10 => 49152–65535
•• Many Linux Kernels => 32768 – 60999
Security Group vs. NACLs

SECURITY GROUP

> Operates at the instance level.

NACL

> Operates at the subnet level.
Security Group vs. NACLs

SECURITY GROUP
> Supports allow rules only

NACL
> Supports allow rules and deny rules
Managed Prefix List

• A set of one or more CIDR blocks
• Makes it easier to configure and maintain Security Groups and Route Tables

Customer-Managed Prefix List

• Set of CIDRs that you define and managed by you
• Can be shared with other AWS accounts or AWS Organisation
• Modify to update many Security Groups at once
An AZ is basically a DC. Can a subnet exist across multiple AZs?  
No - a subnet can only exist within a single AZ, but you can create multiple subnets within each AZ.
A VPC Router is not seen in a Console but is responsible for routing connections within and outside the VPC. Where is it located? 
Sandwiched between the AZ and VPC. Work with it through the Route Table.
What does VPC Route Table Destination: 10.0.0.0/16 to Target: Local mean?
Route locally this VPC address block.
Don't try and route to any outside connections like the internet or a site to site VPN link. Keep it all internal and just route between subnets and it will know where to send those packets to.
What does NAT stand for?
Network Address Translation
Do you need a NAT for IPv6?
No - It's always publicly routable so it's not a private address
AWS Console for both VPC AND Public Subnets: What does it mean when we select: VPC > Actions > 'Edit VPC Settings', Enable DNS Hostnames? And PUBLIC subnet > Actions > 'Edit Subnet Settings' > 'Enable auto-assign IPv4 address'?
We'll get DNS hostnames for our EC2 instances
VPC Peering
VPC Peering are internal VPC-to-VPC connections that allows traffic to flow between VPCs, regardless of region or account.
A security group can reference a security group in a peered VPC (works cross accounts – same region) - don't need to have the CIDR block as the source.
AWS Internal.
AWS Global Network so never touches the internet, it does get encrypted when moving between regions and uses private IPs. CIDR blocks must never overlap, otherwise won't work.
VPC Flow Logs
Capture information about the IP traffic going to and from network interfaces in a VPC.
The data is stored using CloudWatch or Amazon S3. And you can create the flow log at different levels.
> VPC level
> subnet level, or at the
> interface level - it's associated with the ENI that's attached to an EC2 instance
AWS Config
Evaluates your AWS resource configurations for desired settings against AWS Config rules.
A conformance pack is a collection of AWS Config rules and remediation actions.
Receive a notification whenever a resource is created, modified, or deleted.
It uses Systems Manager Automation for Automatic remediation.
AWS CloudFormation
See Slide
Templates => Stacks => StackSets
Templates => Change Sets
AWS RedShift is what?
Data warehouse service.
AWS Systems Manager is a cloud-based service that automates the deployment, configuration, and management of AWS resources.
Important things to note.
Our instances must have the Systems Manager agent installed.
We need to make sure that our instances have the permissions required to be able to send information to Systems Manager.
That's done by creating the IAM role with our instance profile and the policy that we applied.
AWS Systems Manager PATCH MANAGER is a managed service that automates the patching of AWS resources.
Helps you select and deploy operating system and software patches.
Check it out! Course 2 has a walk-through lab on it.
AWS Systems Manager SESSION MANAGER is a service that allows you to manage the lifecycle of AWS resources.
Gives you command line access to your instances. But...
You don't have to open remote PowerShell ports or secure Shell ports.
You don't need bastion hosts.
A great way to securely connect your instances for administration
Does an Amazon Inspector agent need to be installed on EC2 Network assessments?
No. But an agent must be installed on EC2 for host assessments
AWS Shield
A managed DDoS protection service
Integrated with Amazon CloudFront (standard included by default)
Two tiers –
Standard – no cost (very basic)
Advanced - $3k USD per month and 1 year commitment
Routing to an internet gateway - How do you make a subnet public?
You can make a subnet a public subnet by adding a route in your subnet route table to an Internet Gateway.
Routing to a NAT device - How can you enable a private subnet connect to the internet?
To enable instances in a private subnet to connect to the internet, you can create a NAT gateway or launch a NAT instance in a public subnet.
Interface vs Gateway Endpoint
What is used to connect to destination?
IEP: you have an interface which is an ENI in your subnet. That will have a private IP.
GEP: you don't get an interface. instead you have a route table entry pointing to the gateway for a specific service and it's populated with the prefix list.
Interface vs Gateway Endpoint
How is traffic redirected?
IEP: uses DNS entries.
GEP: uses prefix lists in route tables
Interface vs Gateway Endpoint
Security?
IEP: SGs
GEP: VPC Endpoint IAM Policies
Security groups are assigned at the instance level. What are they really assigned to?
SGs are actually at the ENI level of the EC2 instance, so the elastic network interface
Where is the Internet gateway (igw) attached to that allows inbound traffic to your public subnets?
VPC. Configure the router (Main Route Table) to point to it!
Security Group vs. NACLs
SECURITY GROUP
Stateful: return traffic is automatically allowed, regardless of any rules
NACL
Stateless: return traffic must be explicitly allowed by rules (think of ephemeral ports)
Security Group vs. NACLs

SECURITY GROUP

> All rules are evaluated before deciding whether to allow traffic

NACL

> Rules are evaluated in order (lowest to highest) when deciding whether to allow traffic, first match wins
Security Group vs. NACLs

SECURITY GROUP
> Applies to an EC2 instance when specified by someone

NACL
> Automatically applies to all EC2 instances in the subnet that it’s associated with