PaaS Security Archives - AWS Security Architect

Accessing PaaS Services on AWS via Endpoints

anuj varma — Sun, 25 Sep 2022 06:51:29 +0000

Also read, which PaaS services require VPCs

Accessing PaaS Services on AWS

AWS services like EC2, RDS, and ElastiCache come with an Elastic Network Interface (ENI), which enables communication from within your VPCs.

However, many AWS services do not come with an ENI and provide only a REST API (accessed over the Internet only). These include: S3, DynamoDB, CloudWatch, SQS, and Kinesis.

There are three options to make these services accessible from private subnets:

A Gateway Endpoints is free of charge, but are only available for S3 and DynamoDB.
An Interface Endpoint costs $7.20 per month and AZ plus $0.01 per GB and is available for most AWS services.
A NAT Gateway can be used to access AWS services or any other services with a public API. Costs are $32.40 per month and AZ plus $0.045 per GB.

Accessing PaaS Services – Summary

Depending on the service, there may be one or more options for access to these services (from private subnets). This post describes three possible options along with their costs.

For an advanced AWS security consultation, please Contact AWS Security Architect

The post Accessing PaaS Services on AWS via Endpoints appeared first on AWS Security Architect.

AWS – Which PaaS services require a VPC?

anuj varma — Sat, 24 Sep 2022 08:52:24 +0000

Several PaaS services use the compute platform (compute engine on GCP and EC2 on AWS). These services ARE actually part of your VPC – even though it may seem like they are not (due to the misconception that PaaS means global…)

On GCP, these would include:

App Engine, App Engine Flex, Cloud SQL, DataProc among others.

On AWS, these would include

AWS Elastic Beanstalk
Amazon RDS
Amazon EMR
Amazon Redshift

So, which PaaS Services DO NOT belong in a VPC?

Cloud Storage on GCP , S3 on AWS are storage services that are always accessible from the Internet (there IS a way to block off the public IP).
You never have to spin up an S3 instance – like you do an RDS instance. It does not belong on the VPC. Compute Instances and EC2 instances need to be able to access the internet – or access VPC endpoints for the S3 / Cloud Storage.
Serverless Functions (lambda on AWS) / Cloud functions on GCP – CAN be connected to a VPC (by default, they are not). If connected to a VPC, then they can only access resources within the VPC (or use a NAT Gateway for access to the Internet). If not connected to a VPC, Internet access is direct.

Summary

The post AWS – Which PaaS services require a VPC? appeared first on AWS Security Architect.