That meant that we had to add the ssm-agent to all instances in our infrastructure, and update the IAM Role attached to the instances so they could access the AWS APIs the SSM Agent requires. The AWS Systems Manager Session Manager service requires an ssm-agent running on the instances it grants access to. If we only granted our engineers Terminal access, it would generate a lot of friction. SSH still has a lot of flexibility that developers need for developing, testing and troubleshooting. Port-forwarding, so we can use our existing SSH stack. To be successful, the new system needed the following: Granting any user permanent access to production infrastructure is a bad security practice, especially if you consider that we already limit access duration on AWS Accounts using Access Service. In the past, it’s been difficult to rotate SSH keys, run regular audits of Okta groups, and other security maintenance tasks, even with a single network entry point to our infrastructure exposed to the internet. This adds on top of the already large list of servers that need to be regularly updated. This step means higher load on the tooling team to provision and maintain these servers.īastion hosts need to be patched very frequently, since they are reachable from anywhere, even if it only exposes the SSH service. Without it, engineers wouldn’t be able to access instances they spin up. This manual process slows down engineering and adds load to the IT team.įor each new AWS account we create, we have to provision bastion hosts to access the new account internal network. As the organization changes, keeping this group up to date is hard. Every time an update to the group has to be made, we need to create an IT ticket. Our IT team manages the Okta group that grants SSH access to engineers. Granting access to servers on all AWS accounts through a single Okta group was a major issue. We needed to scope infrastructure access to only what the engineer needed. With this in mind, we needed to figure out how to follow our principle of least privilege, considering that Segment was creating AWS accounts at a faster rate than ever. Just by being in that Okta group, you got access to our infrastructure, regardless of the AWS account. When using bastion hosts, we used to have an Okta group that granted SSH access. There are several issues that arose with this system for granting access to our infrastructure. The problemsĮven though our authentication system met the requirements of preventing unauthorized access to our infrastructure, it wasn’t perfect. With all this, we ensured only authorized employees accessed our backend servers. The solution also installs a self-signed SSL certificate and configures RD CAP and RD RAP policies.They had to complete an MFA push on their phone when they connected to the bastion host. AWS Systems Manager to automate the deployment of the RD Gateway Auto Scaling group.AWS Secrets Manager to securely store credentials used for accessing the RD Gateway instances.If more tiers are required, you can create additional private subnets with unique CIDR ranges. An empty application tier for instances in private subnets.After deployment, you’ll modify the security group ingress rules to configure administrative access through TCP port 443 instead. A security group for Windows-based instances that will host the RD Gateway role, with an ingress rule permitting TCP port 3389 from your administrator IP address.A Network Load Balancer to provide RDP access to the RD Gateway instances.Each instance is assigned an Elastic IP address so it’s reachable directly from the internet. In each public subnet, up to four RD Gateway instances in an Auto Scaling group to provide secure remote access to instances in the private subnets.Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*.This gateway is used by the RD Gateway instances to send and receive traffic.* An internet gateway to allow access to the internet.A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*.A highly available architecture that spans two Availability Zones.*.Use this solution to set up the following RD Gateway environment on AWS:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |