I’m newish to the cloud space, and we have a VPN connection through the gateway to our datacenter. So I just use our network to connect to AWS resources when needed.
The question that comes up is how would you connect (RDP) in an emergency? I always had the thought that there’s several ways to skin that cat, but you could easily setup a RDP security group from your home IP (or remote site in a DR event) and then use that box as a jump box.
Is that not what most people do? I see many people paying for a VPN client. Is that because you don’t have a VPN connection back to your local network, so it’s easier to just connect using a VPN?
In my opinion, people here are going overboard, but maybe that’s because there’s millions of dollars on the line for them. If I needed RDP access to an environment in an emergency, as long as there weren’t specific change management procedures that need to be followed for any change in the environment to be made, I’d spin up a new Windows server in a public subnet and create a security group with only my IP allowed, and when I’m done I’d delete the box and security group. I’m not spinning up an RDS environment with Azure NPS extension for MFA and then locking it down to just my IP. Why not create a fourth factor of authentication by requiring that me and my CEO both turn the key at the same time to initialize the connection sequence?
I’m imagining the scenario where the above precautions of creating a temporary jumpbox aren’t nearly enough. It would have to be a coordinated attack where my network is already vulnerable and a hacker is able to egress my IP to gain access to the environment that I had just unlocked only for my IP and were ready to attack. Clearly the Russians are involved and there might as well be a bullet in the back of my head already.
So while I’m incredulous to the fear that people are stoking, I’m genuinely curious how leaving up a bastion host 24/7 for the world to poke at is more secure than temporarily spinning up a jumpbox that, unless hackers have compromised AWS’s security protocols and can probe every 3389-accepting server, wouldn’t be a blip on any hacker’s radar. I have a feeling the answer would have to do with forgetting to clean up, but forgetting to follow proper procedure begs the question regardless of what your method is. Either way, I’d really like to know because my hubris is probably causing me to miss something glaringly obvious.
I have seen clients do it different ways as you mentioned
I have even seen clients that have a site to site to their aws services and connect to the on prem to be able to talk to the aws stuff (the AWS VPC has no gateway to the internet).
RDP breaching is still a big thing
So if you are gonna expose RDP lock it down to IP addresses and enable 2FA
There is no wrong/right way. You weigh the pros ands cons when it comes to how you implement your security into your AWS environment.
There are plenty of free or inexpensive VPN options out there. We are a company, so we pay $50/mo to Pritunl and it’s worth every penny. The only route into our AWS environment is via VPN, even in the office. It’s a lot easier to manage compared to jump boxes and minimizes risk. Also, none of our instances have public IPs so this is really our only option.
All your resources on AWS should be in a VPC with your RDP box in a private subnet. The only SSH server exposed to the public internet should be on your NAT in your public subnet possibly on it’s own dedicated public IP. From there you can use SSH port forwarding and ideally agent forwarding as well to jump to whatever resources in your private subnets. For example:
Depends on how many users share the jump box and whether they have different restrictions on which private subnets they can access or not. Either way then you can just RDP to 127.0.0.1:3389 on your machine to get to the box.
the cloud space, and we have a VPN connection through the gateway to our datacenter. So I just use our network to connect to AWS resources when needed.
The question that comes up is how would you connect (RDP) in an emergency? I always had the thought that there’s several ways to skin that cat, but you could easily setup a RDP security group from your home IP (or remote site in a DR event) and then use that box as a jump box.
Is that not what most people do? I see many people paying for a VPN client. Is that because you don’t have a VPN connection back to your local network, so it’s easier to just connect
I was unaware of this option - so I could set up a box inside a VPC and use this session manager to get into it - and from their I could connect to an Aurora serverless instance - is that correct?
I have the exact same opinion and ideas you do, but I hadn’t heard them echoed in this sub, so it’s good to know that I’m using common sense and not just missing something huge that everyone knows that I don’t.
Yeah, RDP would only be exposed on a public bastion server that’s only exposed during an event, and tightly locked down to individual IPs. Thanks for validating what I was thinking.