0

I need to restrict access of http(s) and pop/imap ports of an EC2 instance to a single country. Its a requirement from security auditor. It will not prevent access via vpn, but atleast it will not be directly open.

There are 2 questions here about the same topic : AWS EC2 Security Group SSH Access From USA Only,

AWS EC2 Security Group Web access from a single country?

The answers in both require adding netblocks of the country in Security Group. I would like to know if anyone has implemented it in production ?

Given the limit of 50 rules per security group and 5 security groups per instance, is it possible to add all netblocks in the security groups ?

Do the blocks change often ? Do we need automation to check and update daily ?

Finally, is there a better solution using AWS native features/services - may be using AWS Network Firewall ?

amolkul
  • 111
  • 5
  • 9
  • 2
    This is going to be difficult to implement. Suggest you edit your question to include more details and big picture, "we want to restrict SSH traffic to one country because (reason) with 99% accuracy" as you might get more useful replies. IP restriction with security groups won't work. You would need to buy an IP restriction database, use CloudFlare country codes, or use location information provided by CloudFront if it's an https restriction, integrated with fail2ban or similar. Once we understand the problem we may be able to suggest an alternate solution. – Tim Oct 27 '21 at 18:34
  • @tim We need to block http(s) and email protocols to eliminate possibility of email being accessed from outside the country as this is the security auditor requirement. Accuracy should be upper 90s I guess so that valid end users dont get blocked out daily. – amolkul Oct 28 '21 at 06:25
  • Please edit your question to include that detail. Please clarify email requirement - do you only want to receive email from people in one country? That will be tricky as it is perfectly valid for someone in (say) the USA to use an email server in Switzerland. http(s) is easy, use CloudFront. You cannot eliminate btw, you can only reduce risk, a VPN easily gets around IP based blocks. – Tim Oct 28 '21 at 06:51

1 Answers1

0

Maybe the good practise is to only authorize some IP to connect to the server OR doing the work directly in your application (like this ip is not localized in this country, I deny the access)

But keep in mind users from other countries still can use a VPN in order to fake they localisations. So, by limiting to IP only is the best restriction you can have !

Martin
  • 446
  • 11