Uploaded by nowag40736

Sec in AWS

advertisement
Security in AWS
Questions
1. In your AWS Management Console, go to the VPC In the navigation pane, scroll
down and click Network ACLs in the Security category. You should have at least
one NACL listed here as a default. Select that NACL, and then click the Inbound
Rules tab for that NACL. Two rules should be listed here, one that allows all traffic
and one that denies all traffic. Considering that these rules seem to accomplish
exactly opposite purposes, what net effect do you think these rules have on traffic
into this VPC? Why do you think this is?
This is the facility for using NACL. It supports the rules of allowing and denying nature. AWS
checks with all security groups if a certain rule should be set to allow traffic. The default setting
of the rule is not to allow any inbound traffic. Inbound rules have control over traffic entering the
system.
The net effect would be improved security. This is because of the nature of NACL rules. These
are evaluated in incremental order starting from the small numbered rule. If the rule and traffic
match, the rule will be applied even if the high-numbered rule is not matching it.
Based on the match, the traffic is either allowed or denied.
2. Click the Outbound Rules tab and notice that it shows two similar rules with similar
configurations. Click the Subnet associations How many subnets are listed here?
There are no subnets listed
3. In the navigation pane, click Security Groups. Unless you’ve been deleting security
groups along the way, you should have a few groups listed here. First check a default
security group, and examine the inbound and outbound rules. Notice that there is no
setting for “Allow” or “Deny.” Any traffic referenced by a rule is allowed. Traffic not
referenced by a rule is not allowed. What traffic is allowed in this security group?
A security group controls the traffic that is allowed to reach and leave the resources that it is
associated with. For example, after you associate a security group with an EC2 instance, it
controls the inbound and outbound traffic for the instance. You can associate a security group
only with resources in the VPC for which it is created.
4. Click a security group created by a launch wizard. Launch-wizard security groups are
created when you spin up a new VM. You’ve probably deleted the relevant VMs, but
the security groups are still present unless you’ve been deleting these along the way.
The traffic that is allowed in a launch-wizard security group is determined by the
permission settings you configured on that VM, such as allowing SSH or RDP for
remoting in to the VM. What inbound traffic is allowed for this launch-wizard
security group? Based on this information, what OS do you think that VM had or has
(if it still exists)?
All Traffic, Windows is the OS
5. Create a new VPC, a subnet within that VPC, and a VM instance in that subnet.
Check the following details as you create the VM:
1. On the Step 3: Configure Instance Details page, make sure to associate
the VM with your new VPC, not your account’s default VPC.
2. On the Step 6: Configure Security Group page, choose to select an
existing security group instead of creating a new security group. You
should be offered the default security group for your new VPC.
6. While the VM is initializing, return to the VPC dashboard and check the rules created
by default for your new VPC’s NACL and security group. It might be helpful to write
down the first few digits of the VPC ID in order to identify the correct NACL and
security group. What traffic is currently allowed to this VPC and its instance?
All Traffic
7. Practice creating a higher-priority NACL rule that would specifically allow inbound
RDP or SSH traffic, depending on the OS you chose for your VM. Make sure you
choose the NACL assigned to the VPC you created earlier in this project. On the
NACL’s Inbound Rules tab, click Edit inbound rules. Notice the priority for the
existing rule, and then click Add Rule. Choose a higher priority rating for your new
rule—remember that higher priorities use lower numbers. What priority did you
choose?
I used Rule Number 20 with Custom TCP and that is the highest priority.
8. Under Type, choose Custom Protocol Rule. Under Protocol, scroll through the list.
What are two protocols that you recognize in this list?
I recognize TCP and UDP
9. Select TCP (6). Under Port Range, enter the port number for the protocol you need.
What is the port for SSH? What is the port for RDP? Save your new rule.
The port for SSH is 22 and the port for RDP is 3389
10. Practice creating a new security group that only allows inbound RDP or SSH traffic,
depending on the OS you chose for your VM. On the Security Groups page, click
Create security group. Give the security group a name, such as MySG-1, and a
description, such as RDP traffic only or SSH traffic only. Assign the security group to
the VPC you created in this project.
11. On the Inbound Rules tab for this new security group, click Edit rules, and then click
Add Rule. Under Type, select Custom TCP Rule. Enter the port number for SSH or
RDP, depending on the OS you used for your VM. Under Source, select My IP.
What happens?
It shows my IP source as 70.93.225.232/32
12. Give the rule a description that would help you identify its purpose in a long list of
security rules. This is good practice for later when you’ll be managing many NACL
and security rules, and you won’t necessarily remember why you created any specific
rule. What description did you give the rule? Click Save rules and click Close.
RDP traffic only
13. Return to the EC2 dashboard, and check the detailed description of your instance,
which should be running by now. What is the instance’s private IP address?
10.0.0.86
14. Does the instance have a public IP address? Thinking back to what you’ve learned
over the past few modules, why do you think this is?
No, it does not have a public IP address, I believe it is because it does not assign a public IP
address to instances launched in a nondefault subnet
15. Change the instance’s security group to the one you just created. To do this, click
Actions, point to Networking, and click Change Security Groups. What security
group is currently assigned to the VM?
The group assigned is the default, with the security group ID sg-0ba5e7f055203fe6c
16. Select the new security group. Are you able to assign both security groups to this one
VM?
Yes
17. Scroll through the navigation pane for the EC2 Dashboard. Of the security resources
you used in this project, which one can you manage from the EC2 Dashboard?
I can manage both groups from the dashboard
18. Delete all of the resources you created in this project—including the VPC, subnet,
VM, the VPC’s default NACL, and both security groups. In what order did you delete
these resources? What error messages did you encounter? How did you handle these
problems? Check through your account to confirm that all related resources have
been deleted.
I terminated the VM, deleted the security groups, deleted NACL rules and the NACL, and then
deleted the subnet and then the VPC. I did not encounter any errors.
Download