3

Background

My company has bought a SaaS product which is hosted on vendor's AWS environment. The product has a website dashboard which is currently only accessible within the vendor's AWS environment. The access to the vendor's AWS environment is tightly controlled by the vendor.

Right now my users are able to access that dashboard by using Amazon Workspaces provisioned by the vendor. However, the Workspaces have limited number of accounts for my company. My company would like to make this dashboard widely accessible within my company and not restricted by the number of Workspaces accounts.

Question

My company has our own AWS account as well but currently not linked to vendor's VPC/AWS environment at all. Can we build something in our own AWS (probably with a PrivateLink to vendor's VPC?) such that my users can securely access the vendor's dashboard via our own AWS environment? If there's a possible way to do this, what are the AWS services required on both sides?

My objective is to ensure this dashboard is not exposed to the Internet and yet all my company's users can view it without having Workspace credentials.

xzk
  • 827
  • 2
  • 18
  • 43
  • this may help you https://stackoverflow.com/questions/14278698/restrict-access-to-website-hosted-on-s3 – Avinash Dalvi Jun 02 '20 at 14:37
  • You don't need PrivateLink, you just need a basic VPC peering setup but any solution is going to require changes on the vendor side for the network changes – jordanm Jun 02 '20 at 14:47
  • If you are looking to completely avoid the vendor, you could potentially do SSH tunnels through the workspace instances. – jordanm Jun 02 '20 at 14:48
  • 1
    @jordanm Thank you for the advise. Firstly, vendor's VPC has multiple applications which are not meant for external access from our company's AWS network. What we have agreed upon with the vendor is only the dashboard sharing. VPC peering would expose everything to us within that VPC which I don't think vendor would agree. I can ask again but the chance is small. Secondly, Workspaces is provisioned by the vendor. What we all have is just login username and password to the Workspaces, that's all. We are unable to SSH into it. – xzk Jun 02 '20 at 15:01

2 Answers2

1

As per your comment you would want to use AWS Private Link to accomplish this problem.

By doing this the only resource shared between is an endpoint to access the service.

This would be accessible over VPN too, which should grant you access on your on-premise.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • Thank you for the suggestions! :) If we were to use Private Link, can the endpoint expose the entire dashboard to us? From our side, how do we consume that endpoint in order to render the dashboard? – xzk Jun 02 '20 at 15:13
  • Hi, when you create it you have the ability to create a private DNS name: https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-service.html#vpc-service-private-dns. By accessing this you can access your dashboard. A small caveat is that the application will need to be load balancer behind an NLB. – Chris Williams Jun 02 '20 at 15:46
1

If I understood your question correctly, what you are looking for looks a lot like How can I access an API Gateway private REST API in another AWS account using an interface VPC endpoint?. The link includes the steps to get access to a private REST endpoint in another account.

It uses VPC interface endpoints which are themselves built on top of PrivateLink.

You may also have a look at Endpoint Service that contains some more scenarios.

rph
  • 2,104
  • 2
  • 13
  • 24