this post was submitted on 18 Sep 2023
8 points (100.0% liked)

DevOps

1685 readers
3 users here now

DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle.

Rules:

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
 

Hoping you folks might be able to point me to the right things to Google.

Our project has developed a very "business lead" (to put it politely) requirement to monitor and allow/block outgoing connections to other parts of the business. We live in a dedicated AWS account and have reasonable autonomy over our networking setup (NACLs, route tables, etc), but less freedom with what AWS services we can use, and deploying things from Marketplace.

The basic requirements are as follows:

  • Default blocking for certain CIDRs.
  • Exceptions for certain IP/Host and port combos within those CIDRs.
  • Authentication and authorisation to use said exceptions (i.e. user tracking).
  • Detailed logging on connections; source, dest, request and response sizes, ports, protocols, whatever we can get out hands on.
  • All of the above for all (?) kinds of TCP connections (HTTPS, Postgres, Oracle DB, MongoDB, as examples).

The security aspect of this is fairly minimal as it's mainly for usage tracking and making sure our users sign their life away before they access their services from our platform. As such, I was hoping to have something that could be rolled out fairly simply; a couple of EC2 instances, yum install foo, and some routing rules, but it looks like the feature set we want requires something more robust, like OPNsense or similar.

Am I missing an obvious solution here, a forward proxy of some sort, any "light" firewalls that don't require a whole separate AMI?

Thanks in advance!

top 1 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 year ago

Hi! I'm afraid there is not a solution that groups all the functionality you that are looking for. Anyway, these are the AWS services I use for most of the requirements you described. Take at count most of them require AWS services and your company will be charged for most of them.

Default blocking for certain CIDRs.

Exceptions for certain IP/Host and port combos within those CIDRs.

Use Security Groups (free cost): https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html

Authentication and authorisation to use said exceptions (i.e. user tracking).

You can implement user Authentication using AWS Cognito: https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html.

Additionally you can delegate the user authentication by using Application Load Balancers and Cognito. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

Detailed logging on connections; source, dest, request and response sizes, ports, protocols, whatever we can get out hands on.

All of the above for all (?) kinds of TCP connections (HTTPS, Postgres, Oracle DB, MongoDB, as examples).

For connections through the Load Balancer y suggest you to enable access logs (requires an S3 bucket and will generate additional charges). For the rest of connections you may want to check this but I never tried it.