4

Even when I create EC2 instances in a private subnet, they must be able to send traffic to the Internet if I want to register them to a ECS cluster.

I am using a NAT gateway to do this, but I still feel insecure that the instances can send private information to anywhere in case of takeover.

What would be the most compact CIDR range that I can use for the instances' security group, instead of 0.0.0.0/0?

kingkong
  • 41
  • 1
  • it seems that similar functionality will available soonish using VPC Endpoints, after you create endpoint you will be to restrict outbound traffic to particular service: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-security – b.b3rn4rd Jul 14 '16 at 07:33

2 Answers2

0

For the moment, you may have to rely on the list of public IP address ranges for AWS, allowing traffic bound for all the CIDR blocks associated with your region.

Part of design for resiliency of much of what AWS does relies on the ability of their service endpoints not to depend on static address assigments and instead to use DNS... but their service endpoints should always be on addresses associated with your region, since very few services violate their practice strict regional separation of service infrastructure.

(CloudFront, Route 53, and IAM do, maybe others, but these are provisioning endpoints, not operational ones. These provisioning-only endpoints do not need to be accessible for most applications to function normally.)

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • 1
    good answer Michael, did not know about publicly available list of AWS address ranges, this is really handy. – b.b3rn4rd Jul 14 '16 at 11:33
0

A super common pattern here is to create a proxy in a narrow CIDR and only allow outbound traffic to flow through the proxy. White-list AWS endpoints and log all traffic flowing through the proxy for monitoring/auditing.

AWS Endpoints = https://docs.aws.amazon.com/general/latest/gr/rande.html

freefood89
  • 301
  • 2
  • 9