2

I'm working with AWS and need some support please.

My team provisioned Direct Connect and we can now enjoy private connectivity from our corporate network to VPC on AWS.

Management is asking if it's possible that aws cli commands are executed through Direct Connect and not through the public internet. Indeed, we have a lot of scripts with a lot of commands like aws ec2 describe-instances and so on. I guess these calls the public REST API of EC2 service that AWS exposes.

They're asking if it's possible that these calls do not go through the public internet.

I've seen VPC endpoints? Are they the solution?

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
nassou
  • 76
  • 3

2 Answers2

0

Refer to @jarmod's answer below for the answer to the question but read on for why I think this sounds like an XY problem.

There is no reason at all why management should be concerned.

Third-party auditors assess the security and compliance of AWS services as part of multiple AWS compliance programs. Using the AWS CLI to access a service does not alter that service's compliance - AWS has compliance programs which pretty much cover every IT compliance framework out there globally.

Compliance aside, the AWS CLI does not store any customer data (there should be no data protection concerns) & transmits data securely (unless you manually override this).

The user guide highlights this:

The AWS CLI does not itself store any customer data other than the credentials it needs to interact with the AWS services on the user's behalf.

By default, all data transmitted from the client computer running the AWS CLI and AWS service endpoints is encrypted by sending everything through a HTTPS/TLS connection.

You don't need to do anything to enable the use of HTTPS/TLS. It is always enabled unless you explicitly disable it for an individual command by using the --no-verify-ssl command line option.

As if that's not enough, you can also add increased security when communicating with AWS services by enforcing a minimum version of TLS 1.2 to be used by the CLI.

There should be targeting of much much bigger attack vectors, like:

  • The physical accessibility of the device storing the credentials
  • Permanent access tokens vs. temporary credentials
  • IAM policies associated with the credentials

The AWS CLI is secure.

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
0

See How can I access my Amazon S3 bucket over Direct Connect? for how to do this with S3.

Basically:

After BGP is up and established, the Direct Connect router advertises all global public IP prefixes, including Amazon S3 prefixes. Traffic heading to Amazon S3 is routed through the Direct Connect public virtual interface. The public virtual interface is routed through a private network connection between AWS and your data center or corporate network.

You can extend this to other Amazon services, per the AWS Direct Connect FAQs:

All AWS services, including Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), and Amazon DynamoDB can be used with Direct Connect.

jarmod
  • 71,565
  • 16
  • 115
  • 122