ACM.114 Create a safety group with a selected person’s IP handle
It is a continuation of my sequence on Automating Cybersecurity Metrics.
Within the final put up I defined how failure to report errors causes techniques and software program to interrupt.
Now we’re going to maneuver on to deploying a user-specific VM on AWS.
We’ve deployed an EC2 occasion
With a safety group that limits entry to SSH from a selected IP handle:
What when you’ve got various distant customers which can be logging in from completely different IP addresses?
VPN: A typical technique to resolve that drawback could be a VPN as that’s the function of a VPN. Customers should authenticate earlier than connecting to the networking. The IPs allowed to authenticate can come from anyplace. When you join then the reported IP handle for that person is the VPN and that VPN has entry to inside networks and sources.
Person-Particular Safety Teams: What in the event you might limit entry to every person based mostly on their very own IP handle? Then permit that person to connect with a selected host that acts sort of like a bastion host for that person on the community. Then, in your logs, you wouldn’t see the final VPN handle for visitors initiated by that person, you’ll see the IP handle of a selected host assigned to a selected person (presuming you monitor if and when hosts go up and down or IPs change.)
Let’s see how we will make that work.
Deploy a Person Particular Safety Group
We created a CloudFormation template to deploy a safety group that permits SSH entry for as single IP CIDR or a single IP (a CIDR consisting of the IP handle with /32 on the finish).
Right here’s the code within the deploy script:
Let’s change this to create a safety group for each member of a specified group. Create a operate to retrieve an inventory of customers in a bunch and create a safety group for every person.
Name the operate from the deploy script, changing the present code above:
Now now we have one drawback. With a view to get the customers in a bunch the community admins (Community profile) want permissions to learn group customers. We’ll add that to the suitable IAM Coverage.
Deploy the IAM adjustments.
To ensure this truly works for a number of customers in a bunch, let’s add another developer:
Deploy the brand new developer person.
Replace the group script we created so as to add the brand new person to the group.
Deploy that script and confirm the person is within the group. Ensure you fully refresh the teams web page even in the event you click on on it from the hyperlink on the customers web page.
Subsequent run community deploy.sh script to see if the brand new safety teams deploy accurately.
By the way in which, I truly created a small take a look at script to check simply this operate reasonably than run all of the community stacks over and over whereas I labored by way of some bugs.
Test to verify the 4 new teams acquired created:
Additionally examine that the safety teams have the proper guidelines with the IP handle for every person within the applicable group guidelines.
Comply with for updates.
Teri Radichel
In the event you favored this story please clap and observe:
******************************************************************
Medium: Teri Radichel or E mail Checklist: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies through LinkedIn: Teri Radichel or IANS Analysis
******************************************************************
© 2nd Sight Lab 2022
All of the posts on this sequence:
____________________________________________
Writer:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, shows, and podcasts
