Validating VPC Endpoint Connections Happen Through the Personal Community | by Teri Radichel | Cloud Safety | Nov, 2022

November 11, 2022

2

ACM.108 inspecting visitors flows and troubleshoot VPC Endpoint connections

This can be a continuation of my collection on Automating Cybersecurity Metrics.

This submit is lengthy and detailed. You're actually going to get your cash's value! In order for you a abstract of what we uncover on this submit, leap to the tip. In order for you justification for the abstract, learn the entire submit or to know how we got here to these conclusions by inspecting and validating community visitors for various configurations.

We deployed a VPC Endpoint with CloudFormation for CloudFormation on this weblog submit.

Then we added a task to our EC2 occasion within the final submit to allow AWS CLI instructions on that occasion with out utilizing long-term developer credentials.

We examined out executing a CloudFormation CLI command within the final submit and it didn’t work. Why not? We’ve bought our VPC Endpoint and the safety teams set as much as entry it. We don’t permit entry to the complete Web however shouldn’t the decision to the AWS CLI be sending the requests to CloudFormation to the VPC endpoint?

How can we troubleshoot why we can’t hook up with the VPC Endpoint?

Initially I assumed it was not attainable to view the visitors to and from the VPC Endpoint interface. Once I checked out community interfaces within the EC2 dashboard, the one community interfaces that existed there have been for the 2 EC2 cases in my take a look at account.

Though an interface is created in our subnet per the documentation, the interface didn’t appear to be seen within the AWS console both on the VPC Endpoint web page or within the checklist of interfaces on the EC2 dashboard.

You’ll be able to select one subnet per Availability Zone to your interface endpoint. When you add a subnet, we create an endpoint community interface within the subnet and assign it a personal IP deal with from the IP deal with vary of the subnet. When you take away a subnet, we delete its endpoint community interface.

As a result of I couldn’t get the ENI from the community interfaces dashboard I thought the associated to visitors was not in VCP Stream Logs. Even when it was, I wouldn’t know which Interface to have a look at. So I began with the EC2 occasion. By by the tip of this submit, the VPCEndpoint community interfaces magically confirmed up within the community interfaces checklist. I don’t know if it merely takes them a very long time to indicate up or what was occurring there, however you could find the community interfaces on the EC2 dashboard.

Though I assumed we couldn’t see the community interfaces for the VPC Endpoints, I reasoned that we must always be capable of see visitors going to it from our EC2 community interface which is in VPC Stream Logs.

Take a look at the networking tab to your EC2 occasion.

Copy the community interface ID (eni-xxxxxxxxx)

Navigate to VPC Stream Logs for the Distant Entry VPC the place we deployed our EC2 occasion. Seek for the ENI to your EC2 occasion.

Click on on it.

You’ll see all types of community visitors — most of it rejected noise from the Web due scammers in search of vulnerabilities in your system.

Seek for [space]443[space]. (You want the areas to weed out different visitors with 443 someplace within the knowledge however not particularly the community port.) You may as well put quotes across the port quantity like this: “ 443 “.

Right here you may see a few issues. The logs present the PRIVATE IP deal with of your EC2 occasion, not the general public IP deal with.

There are a bunch of 52.x.x.x IPs in my logs. Lookup a kind of IPs at arin.internet:

Sure, it’s an Amazon IP deal with:

That’s your EC2 occasion attempting to achieve the CloudFormation service however it’s blocked. Why is it a public IP deal with? Shouldn’t or not it’s sending visitors to a personal IP deal with now that we arrange our VPC Endpoint?

Navigate to your VPC Endpoints.

Click on on the CloudFormation endpoint.

Right here we are able to see there are some DNS names for our endpoint. It additionally reveals that personal DNS isn’t enabled.

Use dig to see what IP deal with is returned for a kind of DNS names:

There you may see the DNS title resolves to a personal IP deal with.

Sadly you may’t see any DNS queries in VPC Stream Logs.

The rationale you may’t see DNS visitors when utilizing AWS DNS servers in VPC Stream Logs is as a result of that visitors doesn’t traverse the community interface or equipment that captures VPC Stream Logs within the AWS Community.

If you're involved about capturing threats on this visitors you will have a few choices. One is to arrange your personal DNS servers on AWS. That could be very sophisticated. Belief me. I helped Capital One do it and you should have a myriad of problems, however DNS is without doubt one of the finest locations to identify assaults so some corporations will go for that possibility.You may as well use AWS GuardDuty which displays the DNS visitors, regardless that you may't examine it your self, and alerts you to suspicious exercise it uncovers.DNS Is a big matter so I am going to go away it at that for the second as we actually simply wish to get our VCP Endpoint working on this submit.

We additionally can’t see utility layer logging within the OSI Mannequin so we wouldn’t be capable of see domains even when that visitors was captured.

Viewing DNS and different community visitors on a bunch

We are able to use tcpdump on the native host, nevertheless to have a look at DNS queries. TCP Dump is a community packet sniffer like WireShark that runs on Linux. I wrote about packet sniffing right here:

Run this command to seize solely visitors to port 53 for DNS and never all of your SSH visitors (which might be too noisy):

sudo tcpdump -vvvv port 53

Appears like after we run our CloudFormation command the host is making queries to EC2, not CloudFormation.

Now we are able to’t actually determine precisely what IP vary belongs to CloudFormation as a result of sadly it isn’t on this checklist:

https://ip-ranges.amazonaws.com/ip-ranges.json

We can also’t use a prefix checklist as a result of at present none exists for CloudFormation so we can’t lock down our guidelines to this checklist.

Though not preferrred, to finish our take a look at, I’m going to open my IP ranges to 52.0.0.0/8. That’s any IPv4 deal with that begins with 52. This vary doesn’t solely embody AWS IPs sadly. Wanting on the final IP deal with within the vary we are able to see it belongs to Microsoft:

I actually hope AWS expands it’s use of prefix lists to all providers however for this quick take a look at I’ll use that 52.x vary so we are able to see if we are able to get this working.

Non permanent modifications may cause safety issues! Be very cautious when making a short lived change to check one thing - that is usually the purpose when folks neglect to revive configurations and go away their environments in a susceptible state. I keep in mind when one firm's SQL database was compromised as a result of it was uncovered to the Web. The assertion from the builders was "We have been solely attempting to run a short lived take a look at."This will probably be a handbook change so it is going to be overwritten if I merely delete and re-run my CloudFormation stacks. Word that it'll NOT be overwritten if I make a handbook change and my CloudFormation template hasn’t modified, except I pressure a change with a timestamp as I confirmed you learn how to do in an earlier submit. CloudFormation solely makes an replace if the template used to deploy the useful resource modifications. And as we noticed with belief insurance policies that doesn’t even at all times work.

Open up outbound entry to that vary (or the relevant vary if you’re in a distinct area) in any safety group and run tcpdump and your CloudFormation command once more.

Now the visitors isn’t blocked so we are able to see that the DNS question is used to get the CloudFormation IP deal with and the HTTPS visitors follows.

Within the different window the place we ran our CloudFormation command we are able to see that it’s profitable.

AWS Public IP addresses for AWS providers

Why is the DNS resolving to a public IP deal with? Right here’s what AWS has to say about accessing providers via AWS Personal Hyperlink:

When an Web Gateway is current, the service is on the market by way of the general public endpoint. The visitors will traverse the Web Gateway and use a public IP deal with however it’ll stay inside the AWS community.

https://docs.aws.amazon.com/vpc/newest/privatelink/privatelink-access-aws-services.html

When utilizing a VPC endpoint, right here’s what the documentation has to say:

Site visitors destined for the AWS service is resolved to the non-public IP addresses of the endpoint community interfaces utilizing DNS, after which despatched to the AWS service utilizing the connection between the VPC endpoint and the AWS service.

However our DNS queries are resolving to a public IP deal with? Why?

Right here’s the important thing level:

When you allow each DNS hostnames and DNS decision to your VPC, we create a hidden non-public hosted zone. The hosted zone incorporates a document set for the default DNS title for the service that resolves it to the non-public IP addresses of the endpoint community interfaces in your VPC.

So have we enabled DNS hostnames and DNS decision for our VPC? Let’s examine. Take a look at the small print of our distant entry VPC.

Appears like we now have DNS decision enabled however not DNS hostnames.

What do these two settings do?

It appears to be like like allow DNS host names provides EC2 publicly resolvable DNS names. I didn’t want or need that after I configured this VPC so I left it disabled. We did need our EC2 cases to have the ability to resolve DNS names so I left that setting on.

The documentation right here that’s referenced by the VPC Endpoint documentation doesn’t say something about resolving VPC Endpoints to personal IP addresses. I discover it odd that we would wish to allow public DNS host names for EC2 cases to get non-public IP addresses for our VPC Endpoint. These public DNS names mainly inform anybody querying the DNS which IP addresses have EC2 cases related to them. I’d fairly go away it off.

Earlier than enabling that allow’s check out one different factor. Once we configured our VPC endpoint we didn’t set the PrivateDnsEnabled property to true after we created our endpoint.

It makes rather more sense to me that we would wish to set this to true to resolve our drawback than to allow DNS host names in our VPC for EC2 cases. Let’s attempt setting this to true first and see how that impacts our DNS queries.

No luck. Apparently, as a way to allow non-public DNS in your VPC endpoint, you have to to allow DNS host names to your EC2 cases as effectively.

Proper now the EC2 occasion we deployed utilizing a CloudFormation template in a previous submit doesn’t have a public DNS title:

Let’s change the endpoint template again to not enabling non-public DNS and allow the VPC DNS host names and see what occurs.

Check with the CloudFormation VPC documentation to allow DNS hostnames:

We are able to merely flip that on for all our VPCs as a result of I count on to make use of it for our non-public VPC as effectively. We’ll be utilizing VPC endpoints in an upcoming submit with our Lambda perform. If we thought we would optionally wish to allow it we might make it a parameter however for now I simply up to date VPC.yaml to this:

Now I’ve VPC host names enabled:

My EC2 occasion has a DNS title:

Personal DNS is disabled on my VPC Endpoint:

If I examine to see if CloudFormation resolves to a personal IP deal with, no:

Now let’s allow non-public DNS on the VPC Endpoint.

Lastly…we get an DNS question reply that resolves to personal IP addresses:

Now take a look at our AWS CLI command:

aws cloudformation describe-stacks

What occurred? It’s not working. Let’s return to VPC circulation logs to see if we are able to discover the associated REJECT logs. Seek for outbound requests to port 443 which can be rejected.

We are able to see right here that that sure, our request is making outbound requests to our VPC endpoint IP addresses. However why is it blocked now?

Let’s double examine our networking. Initially, what’s the IP vary of the subnet containing our EC2 occasion?

What are the IP addresses in that vary? Test the ARIN CIDR calculator in case you don’t realize it off the highest of your head:

Something in that subnet vary can talk with one another as a result of it’s in the identical subnet.

Test the route desk for the subnet:

What’s the IP vary for 10.10.0.0/24 (the native route)? Something within the 10.10.x vary can route visitors to the rest in that very same vary.

The IPs that got here again for our VPC Endpoint are accessible by way of the route desk to our VPC endpoint.

We created two safety teams that ought to permit visitors between them primarily based on safety group IDs within the submit the place we created the VPC endpoint:

https://medium.com/cloud-security/vpc-endpoint-for-cloudformation-66c922d518cd

Double examine that the proper safety group is utilized to the VPC Endpoint and the EC2 occasion. Aha. We by no means added the VPCEndpoint safety group to our EC2 occasion:

Discover additionally that regardless that outbound entry to the Web is current, our occasion nonetheless can’t attain CloudFormation as a result of the DNS title resolves to a neighborhood IP deal with that’s not accessible. And that’s the reason folks say in the case of cloud issues: It’s at all times DNS.

On this case the issue is definitely our safety group guidelines.

Community Guidelines Don’t At all times Replace Accurately — TEST THEM

What I additionally discover right here is that my outbound handbook rule added to the safety group for testing remains to be current regardless that I assumed I deleted and redeployed the related CloudFormation stack. I deleted the stack for the safety group guidelines and my GitHub cloud formation guidelines get deleted, however NOT the rule I manually added.

I tried to delete the safety group once more however the stack fingers within the “Delete in progress” state.

I’m not certain if this is because of the truth that I manually added a community rule or as a result of I’ve related this group with an EC2 occasion. In any case I went again and manually deleted the rule I manually created. When you’re anxious about this kind of factor in your personal account take a look at CloudFormation drift detection — a subject for one more day.

Now at this level the safety group was caught within the “Delete in Progress State.” Once I tried to delete the safety group I bought the next warning which tells me what the issue is:

After disassociating the safety group with the EC2 occasion I might delete the safety group.

Returning to CloudFormation, we are able to see that the stack remains to be caught. What’s the issue? Finally it timed out and the stack bought eliminated.

Nevertheless, take a look at the AWS documentation on AWS CloudFormation and VPC endpoints:

We’d must make some extra modifications to handle these points if we see this drawback once more. I’ll go away that for one more submit.

Add the VPC Endpoint Safety Group to the EC2 Occasion

For now we are able to re-deploy and add the VPC Endpoint Entry safety group to the EC2 occasion. Replace the perform in vm_functions.sh that deploys the developer VM:

As soon as once more, I’m hitting this problem with the EIP affiliation. I would must revisit that in some unspecified time in the future. I can consider plenty of methods to deal with that drawback however I’ll reserve it for one more submit. Delete the EIP affiliation stack (not the EIP stack so we don’t must revise our native firewall once more.)

After all that breaks our SSH connection to the developer VM.

Redeploy the VM with the brand new safety group.

Redeploy the EIP affiliation.

Confirm the VPCE safety group is added to the VM.

Delete your identified hosts file because the EC2 occasion has modified. Defined right here:

https://medium.com/cloud-security/warning-remote-host-identification-has-changed-30e0f4164160

You’ll must run aws configure once more to set the area.

Then you may run your AWS CloudFormation describe-stacks command once more.

And now it really works.

Test that the CloudFormation area resolves to a personal IP deal with:

Get the brand new community interface ID for our EC2 occasion because it was redeployed and examine the VPC Stream Logs.

Now right here’s the odd factor. Once I initially examine the logs I solely noticed public IP addresses with ACCEPT visitors logs for port 443.

So as to actually see what was occurring, I took the next steps:

I deleted all of the visitors in my VPC Stream Logs.
I as soon as once more created two terminal home windows. I ran tcpdump however this time to seize port 443 in a single window:

sudo tcpdump -vvvv port 443 -n

3. Then I ran my CloudFormation command within the different:

aws cloudformation describe-stacks

I can see on the native host with tcpdump that the connections are, actually, made by way of non-public IP addresses.

Then, returning to the logs, I can see that the non-public IP addresses exist right here too:

The opposite EC2 visitors could also be associated to some form of initialization of the EC2 occasion because the visitors was going to an EC2 area, not CloudFormation. As well as, it takes a couple of minutes for visitors to indicate up in VPC Stream Logs so that you may need to attend a bit to see it.

Community Interfaces for VPC Endpoints

I discussed above that originally I couldn’t see any community interfaces within the EC2 dashboard for the VPC endpoints I created. I don’t know if it was a few of the configuration I added throughout this submit or whether or not it took a very long time for them to indicate up, however finally they appeared within the checklist.

I kind of reverse-engineered that we must always be capable of decide the ENI of the VPC Endpoint as a result of I solely have one EC2 occasion and the VPC Endpoint related to the VPC I’m testing on this submit.

Once I checked out VPC Stream Logs, after repeatedly deleting all of the logs and re-running my instructions, I might see there have been at all times three ENIs. I reasoned that one was for the EC2 occasion and the opposite two have been for the VPC Endpoint — one for every subnet.

Now what AWS ought to do is put these ENIs within the dashboard the place the VPC Endpoint particulars exist (#awswishlist).

However you may see them by navigating to the EC2 dashboard and clicking community interfaces on the left menu.

Whenever you have a look at the logs for one of many VPC Endpoints you may see the requests made to it:

What exists in CloudTrail logs?

Somebody was arguing with me that they might look in CloudTrail logs to seek out all of the actions taken of their cloud account. I used to be curious to see what actions exist associated to a VPC endpoint.

We are able to see the deployment and modification of the VPC endpoint:

We are able to see the DescribeStacks motion:

However what in regards to the DNS requests and dig instructions? These should not going to indicate up in your CloudTrail logs.

What if I ran a curl command to obtain some rogue software program from a identified unhealthy IP deal with? In our case, the IP guidelines would block plenty of the Web however we at present have all of GitHub open.

What if the attacker runs the clone command to obtain one thing malicious as a substitute of the repo I’m writing for this submit. I discover plenty of penetration testing instruments and concepts on GitHub (and do NOT obtain them except you actually know what they’re doing — a few of them are supposed to infect the host to which they’re downloaded, or ship vulnerabilities the discover to somebody apart from you!)

What’s to cease an attacker that will get onto the host by way of a software program vulnerability from downloading code from GitHub?

Nothing at this level.

Would you see that in your CloudTrail logs? No.

Would you see that in your host logs? Provided that the attacker already on the host has not disabled or altered these logs.

Would you see that in your community logs? Sure.

As you may see, safety requires layers of safety and usually, solely encryption or solely IAM or solely networking isn’t sufficient. The completely different controls work collectively to guard your property and you might want to architect them fastidiously.

What have we discovered by way of this take a look at?

We are able to glean plenty of info from this weblog submit. To summarize:

Don’t assume your visitors is traversing non-public networks and IP addresses if you configure your community. Take a look at it.
Take a look at your community logs to be sure to can see the visitors you might want to see.
Site visitors to VPC providers *ought to* keep on the AWS spine when connecting to a public IP deal with. However we are able to’t actually show it primarily based on the logs accessible to us. It would traverse an Web Gateway so if you’re attempting to keep away from including a kind of use a VPC Endpoint.
VPC Endpoints require additional configuration to get the visitors to circulation on a personal community in any other case it’ll take the general public route, if it exists. It’s good to allow DNS settings in your VPC and the endpoint itself.
Deploy safety teams to the VPC endpoint and the EC2 occasion that should attain it. I defined learn how to deploy these safety teams appropriately with safety group IDs, not CIDRs or IP addresses, within the final submit.
Whenever you manually create Safety Group guidelines, you must perceive that they might not be deleted by way of CloudFormation. Keep away from handbook modifications and use CloudFormation drift detection to determine when somebody has achieved that.
You’ll be able to’t see AWS DNS requests in VPC Stream Logs. You’ll be able to see them with a host-based visitors sniffer or by utilizing your personal DNS servers (which is sophisticated — something we’ve achieved on this weblog collection x 100). You should utilize AWS GuardDuty to detect threats you can’t seize your self.
We are able to see the community interfaces related to VPC Endpoints within the EC2 dashboard. We are able to use these ENIs to view visitors to and from the VPC Endpoints in VPC Stream Logs.
CloudTrail and host-based logs should not sufficient to detect all exercise in your compute assets in case your system turns into contaminated with malware or infiltrated by an attacker.

Within the subsequent submit we’ll create a coverage for our VPC Endpoint.

Teri Radichel

When you preferred this story please clap and comply with:

Medium: Teri Radichel or E-mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers by way of LinkedIn: Teri Radichel or IANS Analysis