0

In alignment with the documentation, I see that the default ACL on AWS allows all inbound traffic (rule no. 100, allowing all trafic any protocol, all ports).

How is that safe? Why is that a meaningful default?

I am interested in minimal permissinos to enable a Fargate tasks: The tasks apparently need a public IP address to be able to fetch a private repo from ECR (unless I want to set up my own NAT). Now, does the default ACL still keep the Fargte task secure, or open it up to 3rd-party inbound access?

KingOtto
  • 840
  • 5
  • 18
  • You would have to ask AWS that, but in my opinion its just one less thing one has to configure when launching an instance or something – Paolo May 16 '23 at 07:20
  • Your third option (and in my opinion, the best one) is a VPC endpoint – Paolo May 16 '23 at 07:22
  • I'm actually confused by the degree of what we have to configure. My "hello world" example won't run on Fargate without a public IP, because ECS can't fetch the repo from ECR (see error link above). Now even as a newbie user, I need to become a network admin pro and lock down inbound traffic, just to get my private repo to run on ECS... it's super confusing to me. I really just want an easy way to run a private repo as a private task. Do I really need to go through Private Link/VPC endpoint/line-by-line inbound traffic rule settings? – KingOtto May 16 '23 at 07:23
  • [Getting a public IP] and [ACLs and security groups allowing traffic] are unrelated to each other. Yes, networking in AWS is complicated if you have no experience with it. Same goes for IAM, you _need_ to understand it to get it to work properly. Not sure what the actual question is looking for. – luk2302 May 16 '23 at 07:24
  • Question is really: Does the ACL default open the Fargate task up to the Internet, i.e., allow inbound traffic? I want to run a private "hello world" without somebody else opening a connection to the Fargate task (and compared with networking, I find IAM a piece of cake - just my opinion. At least IAM has default AWS-managed policies & roles.. looks to me as Fargate & ECR don't have a "private default" at all - not even the Batch tutorial works without going public) – KingOtto May 16 '23 at 07:26
  • 2
    ACLs are similar to traditional firewalls that ran on networking equipment. They could only limit traffic that flowed **between subnets**. However in the Cloud there are now **Security Groups** that can operate on each individual resource. They are much more secure since they can control traffic between each resource rather than just subnets. Therefore, ACLs are typically left at their default "Allow All" setting and security is managed with Security Groups. ACLs are only needed for very specific needs, such as creating DMZs at the subnet level. – John Rotenstein May 16 '23 at 07:32
  • 1
    The default **security group** fit what you want, they allow outbound traffic from the instance, e.g. to ECR but block inbound traffic. If you try to do this with NACLs you will be in trouble because if you block incoming traffic there you will block the response from ECR reaching your instance. – luk2302 May 16 '23 at 07:33
  • Ok, so in a nutshell, could I summarize this as "Yes, ACL does not lock up your system - it is 'insecure'", but given that the security group settings apply on top of ACL (and the more restrictive of both policies applies), it makes the system overall secure? – KingOtto May 16 '23 at 07:33
  • To answer your second question.. use a VPC endpoint – Paolo May 16 '23 at 11:59

0 Answers0