I want to create a 2-level security group heirarchy in AWS.
Location Groups - groups of IP addresses specific to different locations (e.g. "office", "home", "customer 1", etc.). Each of these base groups grants each IP access to All Traffic (ports 0-65535)
Environment Groups - I then am trying to add these base Location Groups to my higher-level Environment Groups (e.g. "test", "prod", "reporting db", etc.). I will use Environment groups for my different instances in EC2. So a server "uat_01" for example will reference the "test" environment group, which will in turn grant access to "office", for example.
Here's my inbound rule setup for security group sg-f2d8.... (office)
I'm adding the base groups using port ranges for access to HTTP (or HTTPS, or MySQL, etc., based on need), and referencing the base group using "Custom" configuration with the group identifier, e.g. "sg-f2d8...."
In the Security Groups panel, everything looks ok, but I can't get access from the selected IPs.
Please help! I've been told EC2 Security Groups can reference base groups this way, but I can't seem to figure it out!
Thanks!
When you put a security group as the source of an inbound rule (or destination for an outbound rule) you are referencing the resources associated with that group (i.e. the ec2 instances that you create that belong to said group) not really allowing the traffic that the group would allow (this is kind of a common misconception on aws-security groups). There is also no transitivity between security groups by referencing them this way.
Now in order to achieve what you want to achieve, the only workaround i can think about is creating groups of the style home-test, office-test, home-prod and putting in each one the source ip that you would see fit. At the end of the day these would be just "1-level" security groups.
The formal answer would be that no, you cannot create hierarchical aws sec groups.
Related
I just started a project with Apache Nifi and I am new to this orchestration tool. From a Azure's standpoint in ADF, I would like to create a branch so that I can work on my own development or at least I want to create a separate pipeline in the workspace. In Apache Nifi, I have an user Interface that multiple people can work on. Even though the activities (or processors) in Nifi seems dependent unless specify otherwise, I would like to have my own work space as a separate canvas.
Is it possible to have multiple canvas as workspace in Apache Nifi on a single address ?
Kind regards,
Ken
What I would do is create a new process group with a unique name. Process Groups are a way to have a complete canvas to yourself that doesnt interfere with other canvases.
using a "Process Group" is the easiest way.
if needed you can apply policies on each "Process Group".
for this you need to add some users (put them in a group) and create policies which fits to your needs. while creating the policies you can add users (and groups) to your policy to grant access, view, modify, ...
btw, you can route flowfiles IN and OUT of your "Process Group" using "Input Port" and "Output Port" (next to the processors in the menu bar of the NiFi canvas)
We are using IAM permissions for groups and users with great success for S3, SQS, Redshift, etc. The IAM for S3 in particular gives lovely level of details by path and bucket.
I am bumping into some head scratching when it comes to EC2 permissions.
How do I create a permission that allows an IAM user to:
create up to n instances
do whatever he/she wants on those instances only (terminate / stop / describe)
...and makes it impossible for him/her to affect our other instances (change termination / terminate / etc.) ?
I've been trying Conditions on tag ("Condition": {"StringEquals": {"ec2:ResourceTag/purpose": "test"}}), but that means that all of our tools need to be modified to add that tag at creation time.
Is there a simpler way?
Limiting the number of instances an IAM user can create is not possible (unfortunately). All you have is a limit on the number of instances in the entire account.
Limiting permissions to specific instances is possible, but you have to specify the permissions for each instance-ID, using this format:
arn:aws:ec2:region:account:instance/instance-id
More information is available here:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
A question that has stumped me for a while. I know this is possible over domains using Active Directory and all the rest, but what about on a basic local machine running on a basic network with many users.
Say this local machine is a communal work machine, which anyone with an account can use. All accounts are local, and are not roaming or on a domain, they are local to the machine.
Each user has different privileges, and are separated by groups.
While trying to create a group policy for a certain group, the group doesn't actually show up in the list. All that shows up in the list, are the local accounts individually, and two categories/groups: Administrators and Non Administrators
Where are the other groups? Why can I not create multiple policies specific to each individual group (Group1, Group2, Group3) that I have created?
The selection text quotes: "Local Users and Groups compatible with Local Group Policy". This seems to say that the groups I create seem not to be compatible with Group Policy?
Is there any fix to make custom groups 'Compatible' with Group Policy? Perhaps a registry or DLL fix?
Go to the Group Policy Management Console (gpmc.msc) and navigate to the required Organisational Unit. Right click, and select "Create a GPO..." and give it a name.
Right click on the newly created Group Policy Object, and deselect "Link Enabled" to prevent it from applying before you have finished configuring it.
Configure your GPO, and in the GPO Security Filtering panel, you are able to Add/Remove specific Active Directory users, groups and computers in which you want your GPO to apply to.
Hope this helps you
I was following railscasts to use rubber to deploy my rails app to ec2. I got the following problem:
$ cap rubber:create_staging
..... (omit successful part)
/Users/brian/.rvm/gems/ruby-1.9.3-p327/gems/excon-0.25.3/lib/excon/middlewares/expects.rb:10:in `response_call': SecurityGroupLimitExceeded => You have exceeded the number of VPC security groups allowed per instance. (Fog::Compute::AWS::Error)
how can I avoid this problem?
The issue is that by default Rubber is creating different security groups for each role. You will notice the console printing numerous "Creating Security Group #{x}" lines. The max allowed without petitioning is 5 (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html) without petitioning.
First run cap rubber:destroy_all.
To force Rubber to use only one security group go into rubber.yml and set...
auto_security_groups: false
isolate_security_groups: false
After that it may work, or you may get error saying security groups exists... Go here to read how to access security groups. Once in the panel delete all security groups but "default". http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#DeleteSecurityGroup
If you are getting errors about rules, then select the "default" user group in the AWS panel . This will bring up the rules. Delete all custom TCP rules. After this everything should work. You may need to repeat deleting groups and rules, since Rubber seems to do a terrible job of managing those.
You can request the VPC limits for your account to be raised via this form.
I've created an autoscaling group on EC2 and it's working just fine. Servers scale up and down depending on load. I'd like to have a little more info on the management side and am wondering if there's a way to get the autoscaling group to dynamically add names to the instances that it boots up. I'm referring to adding a Tag with key=Name and value=autogeneratedid.
For example, if I had an autoscaling group called test-group, servers would boot up with the following names:
test-group-1
test-group-2
test-group-3
...
I'd like to find them an enumerate them in the EC2 Management Console, but right now they're just showing up as "empty" names (the Tag key=Name isn't explicitly set on the instances).
Any ideas?
In order to get the tags to be set on the instances, make sure you are setting the PropagateAtLaunch flag ("p=1") for the tag in the Auto Scaling Group.
You'll want to read this section in Amazon's documentation:
http://docs.amazonwebservices.com/AutoScaling/latest/DeveloperGuide/ASTagging.html
As far as having Amazon dynamically adding parameters to the tag value, I'm not aware of any such feature.