EC2 Security Archives - AWS Security Architect

EC2 Agents – URLs and IPs allowlist

anuj varma — Fri, 17 Oct 2025 15:38:25 +0000

EC2 Agents: CIDR vs FQDN (Wildcard) Allowlists — with Ansible & Rapid7 Examples + SG/NACL Capabilities

Executive Summary

CIDR allowlists control who (IPs) can talk to your instances, ideal for inbound automation traffic you own (Ansible control nodes, bastions, VPN egress).

FQDN / wildcard allowlists control where (domains) your instances/agents can call out to — essential for SaaS backends that sit behind CDNs/anycast (e.g., *.rapid7.com) whose IPs change.

Rule of thumb: Use Security Groups for precise, stateful, instance-level CIDR control (inbound + outbound). Use NACLs for coarse, subnet-level gates. Use a DNS-aware firewall/proxy (or AWS Network Firewall) for domain/wildcard egress control. SGs/NACLs cannot match hostnames.

Security Groups vs NACLs — What They Allow (and Don’t)

Feature	Security Groups (SG)	Network ACLs (NACL)
Type	Stateful, attached to ENIs/instances	Stateless, applied to subnets
Direction	Inbound + Outbound; return traffic auto-allowed	Inbound + Outbound; return traffic must be explicitly allowed
Matching	By CIDR/IP or SG references (same VPC); no FQDN	By CIDR/IP only; no FQDN, no SG refs
Evaluation	Set-based, implicit deny if no match	Numbered rules, first match wins
Granularity	Fine-grained per-instance/role	Coarse, per-subnet boundary
Logging	No native decision logs (use VPC Flow Logs to observe traffic)	No per-rule logs (use VPC Flow Logs)
What They’re Great At	Microsegmentation, app tiers, restricting admin ports (SSH/WinRM)	Global subnet allow/deny baselines (e.g., block known-bad CIDRs)
Limitations	No FQDN/wildcards, no DPI/TLS intercept, no user-aware auth	No FQDN/wildcards, stateless complexity, subnet-wide scope

Security Groups — You Can:

Restrict inbound SSH/WinRM to known CIDRs or referenced SGs.
Limit outbound by port and CIDR (e.g., only 80/443 to NAT).
Express tier-to-tier rules with SG references (web → app → db).

Security Groups — You Cannot:

Match FQDNs/wildcards (e.g., *.rapid7.com).
Do DPI, TLS inspection, or user/session-aware decisions.
Produce per-rule decision logs (observe via VPC Flow Logs instead).

NACLs — You Can:

Set coarse subnet boundaries (deny/allow by CIDR/port).
Block obvious inbound vectors at the subnet edge.
Use rule numbering for deterministic first-match behavior.

NACLs — You Cannot:

Match FQDNs/wildcards or reference SGs.
Rely on state; explicitly allow return traffic/ephemeral ports.
Target individual instances (NACLs affect the whole subnet).

When to Use CIDR vs FQDN (Wildcard)

CIDR/IP Allowlists — Use When

Controlling inbound admin access to EC2 (SSH/WinRM/RPC).
Your control plane has static egress (bastion, VPN, Ansible Tower).
You need deterministic peer-to-peer app tier microsegmentation.

FQDN/Wildcard Allowlists — Use When

Agents must call outbound to SaaS/CDN (dynamic IPs, anycast).
Vendor publishes hostnames and requires HTTPS/TLS without interception.
You need stable policy that survives provider IP rotation.

Example A — Ansible (Agentless)

Traffic Pattern

Linux targets: Ansible control node → EC2 over SSH 22/tcp.
Windows targets: control node → EC2 over WinRM 5986/tcp (TLS) (or SSH on supported builds).

What to Allow

Target EC2 Security Group (Inbound):
- Allow 22/tcp from your control-node/bastion CIDR(s) (Linux).
- Allow 5986/tcp from your control-node/bastion CIDR(s) (Windows).
Outbound on targets: allow to OS/package mirrors (or route via your internal repo/proxy).
Control node egress: optionally allow to Galaxy/PyPI or pin to internal mirrors.

Why CIDR Fits

Ansible is push-based and agentless. You own the control-plane IPs; the key is restricting inbound management ports on targets. No vendor SaaS domains are required for the automation channel itself.

Checklist (Opinionated)

[ ] Target SG: 22/tcp (Linux) from control-node CIDR(s) only.
[ ] Target SG: 5986/tcp (WinRM TLS) from control-node CIDR(s) only.
[ ] Prohibit 0.0.0.0/0 on management ports; prefer bastion + SG referencing.
[ ] Outbound to package mirrors (via NAT/proxy or internal repos).

Example B — Rapid7 Insight Agent (Agent-Based)

Traffic Pattern

EC2 → Rapid7 cloud over HTTPS 443 to region-specific hostnames (beaconing, telemetry, updates, uploads).
Optional Collector: EC2 → Collector on 5508, 6608, 8037; Collector → Rapid7 over 443.
Vendors commonly require no SSL interception (preserve certificate chain/TLS pinning).

What to Allow

Outbound (from EC2 or through your proxy/NAT): allow 443/tcp to documented Rapid7 endpoints for your region (often expressed as wildcards such as *.endpoint.ingress.rapid7.com, *.insight.rapid7.com).
If using Collector: allow EC2 → Collector ports 5508/6608/8037, and Collector egress 443 to Rapid7.

Why FQDN/Wildcard Fits

The Rapid7 backend is SaaS and frequently CDN/anycast fronted; IPs change. IP-based allowlists are brittle. Enforce hostname/wildcard egress on a DNS-aware proxy or AWS Network Firewall. SGs/NACLs can’t match FQDNs.

Checklist (Opinionated)

[ ] Outbound SG: permit 443/tcp to Internet via NAT/proxy.
[ ] Egress firewall/proxy policy: allow Rapid7 hostnames/wildcards; exclude from SSL inspection per vendor guidance.
[ ] If Collector: open 5508/6608/8037 to the Collector; allow Collector egress 443.

AWS-Native Controls — Putting It Together

For Ansible

Security Groups: precise inbound CIDR to 22 / 5986.
NACLs: optional subnet baseline (coarse allow/deny).
Egress: to repos/mirrors via NAT/proxy (optional domain control there).

For Rapid7 (and similar SaaS agents)

The post EC2 Agents – URLs and IPs allowlist appeared first on AWS Security Architect.

How to Ensure All Client Browsers Go Through Cloudflare to Access JavaScript

anuj varma — Thu, 26 Jun 2025 21:43:44 +0000

How to Ensure All Client Browsers Go Through Cloudflare to Access JavaScript

1. Serve JavaScript from a Cloudflare-Proxied Domain

Start by hosting your JavaScript file behind a custom domain, such as static.yourdomain.com, and point this domain to your EC2 server, S3 bucket, or API Gateway endpoint.

Then, onboard this domain into Cloudflare and enable proxying (orange cloud icon in DNS settings). This ensures all requests to the JS file go through Cloudflare’s edge network.

2. Block Direct Access to the Origin

To prevent bypassing Cloudflare and directly hitting your origin (e.g., EC2 public IP or API Gateway URL), restrict access to only allow Cloudflare traffic.

a. On EC2 (Web Server IP Filtering)

Use Cloudflare’s IP ranges to configure your server or firewall. Only allow traffic from these ranges and deny everything else.


allow 173.245.48.0/20;
allow 103.21.244.0/22;
deny all;

You can apply these rules in your web server configuration (e.g., Nginx) or in your AWS EC2 security group inbound rules.

b. On API Gateway

Set up a CloudFront distribution in front of your API Gateway, and configure it so that only Cloudflare can reach CloudFront. You can enforce this using AWS WAF or Lambda@Edge to check for Cloudflare-specific headers (such as cf-connecting-ip).

3. Use a Firewall or AWS WAF to Enforce Cloudflare Traffic Only

Implement additional protections by verifying that incoming requests come from Cloudflare’s IP ranges or include a custom header added by Cloudflare (like X-From-Cloudflare: yes).

Using AWS WAF, you can block any request that doesn’t match these criteria.

4. Add Token or Cookie Validation for Extra Security

You can make the JavaScript file accessible only when a valid token or Cloudflare-managed cookie is present. This is useful if you want to require a challenge like CAPTCHA before download.

Use Cloudflare tools such as:

Cloudflare Bot Management
Firewall Rules with Cookie or Header matching
Page Rules for rate limiting or access control

Summary

Step	Action
1	Host JavaScript behind a domain proxied by Cloudflare
2	Block all direct access to origin (EC2, S3, or API Gateway)
3	Allow only Cloudflare IPs via web server or security group
4	Optionally require custom headers, WAF rules, or tokens
5	Use Cloudflare features like CAPTCHA or rate limiting

The post How to Ensure All Client Browsers Go Through Cloudflare to Access JavaScript appeared first on AWS Security Architect.

AWS EC2 – Proceed without Key Pair

anuj varma — Sun, 11 Dec 2022 14:10:52 +0000

While creating the instance , you will be prompted to “Proceed without key pair” . You can still connect to the instance provided:

the sshd in your AMI is configured to use password based authentication

The post AWS EC2 – Proceed without Key Pair appeared first on AWS Security Architect.

AWS Backups using SSM doc and bash

anuj varma — Thu, 27 Oct 2022 16:50:34 +0000

How do I kick off a command line based backup job (AWS backup job) from an SSM Doc?

Create your SSM managed EC2 instance (with the SSM agent installed). (SSM agent is pre-installed on AWS AMIs, and needs to be installed on custom AMIs).
Use the python script provided in this repo.
Call the python script from a Command line (for testing purposes). Execution : python ec2_volume_snapshot.py
Once tested from the command line, use a bash script to wrap the python command above. The bash script lives in the SSM doc. It runs on the linux OS on an EC2 that is SSM managed.

Sample python program to call aws backup service and perform a backup

import subprocess
import sys
import boto3

def execute_shell_commands(commands):
MyOut = subprocess.Popen(commands,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
stdout,stderr = MyOut.communicate()

#for command in commands:
command_string = ” “.join(commands)
print(“Command executed : %s” % command_string)
if stdout is not None:
stdout = stdout.decode(“utf-8”)
print(“Stdout :\n%s” % stdout)
if stderr is not None:
stderr = stderr.decode(“utf-8”)
print(“Stderr :\n%s” % stderr)

# Run pre-script
execute_shell_commands([‘sudo’, ‘service’, ‘apache2’, ‘stop’])

volume_id = sys.argv[1]

region_name = sys.argv[2]

ec2 = boto3.resource(‘ec2’, region_name=region_name)
volume = ec2.Volume(volume_id)
snapshot = volume.create_snapshot()
snapshot.wait_until_completed()

ec2_client = boto3.client(‘ec2’, region_name=region_name)
snapshot_details = ec2_client.describe_snapshots(SnapshotIds=[snapshot.id])
print(“Snapshot details :\n%s” % snapshot_details)

# Run post-script
execute_shell_commands([‘sudo’, ‘service’, ‘apache2’, ‘start’])
execute_shell_commands([‘sudo’, ‘service’, ‘apache2’, ‘status’])

Sample bash script (in SSM doc) to call a python command

#!/bin/bash

MYSTRING="Do something in bash"
echo $MYSTRING

python - << EOF
myPyString = "Do something on python"
print myPyString

EOF

echo "Back to bash"

The post AWS Backups using SSM doc and bash appeared first on AWS Security Architect.

AWS SSM Connect for no ingress EC2 instances

anuj varma — Sun, 25 Sep 2022 06:15:24 +0000

No Ingress EC2 is a great security option to completely block off all access to an EC2 instance. How then, will management users connect to this instance?

This is a brief post on how to connect to a completely cut off EC2 instance – which is in a private subnet and also has a no ingress Security Group attached.

Attach the SSM Managed Policy to the EC2 instance

ssm policy for EC2

Launch and Test the Instance

From the EC2 console, launch an EC2 instance (Windows Server)
Create a private subnet with no Internet Gateway
Create a security group with no ingress ports
Configure or attach with no-ingress security group, and the SSM IAM role created earlier
Ensure that the Windows EC2 instance has SSM Agent running by viewing it in AWS Systems Manager
Connect to source EC2 instance via “EC2 Connect”
Apply this command for enabling AWS SSM Port forwarding option to a local port (We are mapping the remote desktop port of windows EC2 port 3389 to 3340 of the localhost)

aws ssm start-session --target <> --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"],"localPortNumber":["<>"]}' --region <> Testing it out Telnet to Port(3640 in this example) telnet localhost 3690

Summary

No Ingress EC2 instances are a great way to protect access to your instances on AWS. For an advanced security consultation, please Contact AWS Security Architect

The post AWS SSM Connect for no ingress EC2 instances appeared first on AWS Security Architect.

Protecting EC2 instances on AWS – Basic EC2 Security

anuj varma — Sat, 24 Sep 2022 16:25:55 +0000

Access to EC2 instances via Systems Manager Only (Management Access)

Management of EC2 instances should be via Systems Manager (SSM).
No Ingress EC2 instances to be created with SSM enabled.
This saves the whole headache of whitelisting allowed IP Addresses to manage EC2 instances

No Public IP on EC2 Instances (Public/End User Access)

EC2 Instances that need to be public facing should be front ended with a Load Balancer. A load balancer should expose the public IP, instead of the EC2.

Summary

IaaS based Compute is the most used service alongside Storage. Protecting Management Level access as well as public access is key to these instances is key to ensuring a secure AWS environment.

For an advanced security consultation, please Contact AWS Security Architect

The post Protecting EC2 instances on AWS – Basic EC2 Security appeared first on AWS Security Architect.