Bill Herde
asked on
Manage a AWS SQL server without an EC2 for SSH tunnel
Bear with me, I am a noob on AWS. I am wanting to properly secure an RDS instance by following the best practices and putting it on a subnet group that does not have a gateway to the internet. The methods described to manage the instance involve using a webserver in a subnet that does have a gateway to create an SSH tunnel to it. All well and good until the design is to use S3 as a webserver, and an API to call a Lambda function that actually does something. Not having an EC2 instance running, I am unable to find a way to manage and restore data to the RDS instance once it is placed in the secure subnet.
As a work around, I have created an ACL that whitelists my office IP for port 1433 and still have the RDS instance attached to the default VPC.
As a work around, I have created an ACL that whitelists my office IP for port 1433 and still have the RDS instance attached to the default VPC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Fail2ban looks to be something that runs on a linux engine. I don't see where I can set it up to protect access to my S3 or RDS without an EC2 running. Am I missing something here?
Where is the Remote Desktop Server? On-Prem or on an EC2 instance?
S3 is simply storage
Where is SQL Server AWS Sql server, EC2 instance, On-Premises ?
RDS needs internet access somehow
S3 is simply storage
Where is SQL Server AWS Sql server, EC2 instance, On-Premises ?
RDS needs internet access somehow
https://github.com/glasnt/ wail2ban provides a Windows port of Fail2Ban.
ASKER
@ David Johnson, That is the point. S3 is not simply storage. There is a button to use it as a static web page. AWS will publish an http (probably https as well) URL that can be used for browser access. You just tell it what you want to be the start file. (index.html) and it works without any EC2 charges. then with the browser making the calls through API gateway to a Lambda function, the whole thing runs only when needed, and scales up and out all by itself. The only thing we need to tune is the memory and run time for lambda function. So charges will be for S3, RDS, and lambda only.
BUT, that means there is nothing in there running a compute resource that is on all the time for doing things like SSH tunnel, or Fail2ban firewall. There is a Web Application Firewall that can be enabled on the bucket/webpage, but it is simple ACL only. Still no means to route SSH to the RDS instance. At this juncture it appears the only way to do this is define a network ACL with whitelist for port 1433 , and keep RDS in subnets with a gateway, which is not in line with AWS best practices.
@David Favor, Fail2ban looks like something I will be installing on all my web servers going forward, when there is a server to put it on. Thanks for bringing that tool to my attention.
BUT, that means there is nothing in there running a compute resource that is on all the time for doing things like SSH tunnel, or Fail2ban firewall. There is a Web Application Firewall that can be enabled on the bucket/webpage, but it is simple ACL only. Still no means to route SSH to the RDS instance. At this juncture it appears the only way to do this is define a network ACL with whitelist for port 1433 , and keep RDS in subnets with a gateway, which is not in line with AWS best practices.
@David Favor, Fail2ban looks like something I will be installing on all my web servers going forward, when there is a server to put it on. Thanks for bringing that tool to my attention.
ASKER
Thanks for the input guys. Points to D. Favor for flat out stating the AWS recommended way is overkill. I agree. I will be using the Web Application Firewall on the S3 webpage with standard NACL as well. I will keep the whitelist for port 1433 so my dev guys can manage the RDS instance. The final step to secure and control access (this is going to be a company only site) will be enabling encryption and managing who has keys.
Aside: You said, "S3 is not simply storage. There is a button to use it as a static web page."
You must be very careful about doing this, as this will trigger the per request/download fee + maybe the per object lookup fee.
S3 != Web server
If you're have an unlimited budget, use S3.
If you have a budget, user real hosting, like OVH or something similar.
Tip: Read through all the EE recent questions where people talk about Amazon Surprise Bills, which are very common to people first using AWS.
You must be very careful about doing this, as this will trigger the per request/download fee + maybe the per object lookup fee.
S3 != Web server
If you're have an unlimited budget, use S3.
If you have a budget, user real hosting, like OVH or something similar.
Tip: Read through all the EE recent questions where people talk about Amazon Surprise Bills, which are very common to people first using AWS.
ASKER
Thanks. I will investigate!
You're welcome!
Be sure to have a 5 Figure cash reserve if you use S3 as Website storage, to cover your AWS Surprise Bills.
With AWS, the first time you get a $10K bill, rather than a $100 bill... that's an exciting day indeed...
Be sure to have a 5 Figure cash reserve if you use S3 as Website storage, to cover your AWS Surprise Bills.
With AWS, the first time you get a $10K bill, rather than a $100 bill... that's an exciting day indeed...
ASKER
Indeed it does look like running a firewall product on the VPC would be a working solution and would simplify things quite a bit. My prem systems are all behind Cisco firewalls and I see there is a AWS equivalent available. That could possibly simplify interconnection for the dev group through a static vpn, or even a dial up vpn as needed. Any input from the community on the firewall choices? I am reading up on Fail2ban now.