Allowing all traffic to office IPs and employees home IPs (dynamic IPs)

0

I am wondering how safe/secure it is to create an "interal-users-sg" security group on AWS and add it to all other security groups. This "interal-users-sg" would allow all traffic on all ports to our servers from employees homes and our company's office IPs. There are several advantages, one big security advantage is that we can remove a user's access in one place - by removing them from the "internal-users-sg".

Is there a better way to do this? Is this ill-advised? This would only be for developers, not for everyone in the company (obviously).

Alexander Mills

Posted 2019-06-26T21:02:49.483

Reputation: 165

Answers

1

Adding users home IPs to a security group is ok, but comes with risks. People with this access can upload or download anything they like if you don't put in other security controls. One way around this is to require everyone to VPN into the office, and then connect to AWS from there.

Home IP addresses tend to be dynamic. Sometimes they change daily, sometimes weekly, sometimes monthly. You can have a script running on PCs to update security group rules automatically, but that also has some risk.

Run AWS Guard Duty if you want alerts for people logging in from unusual IP addresses - you'll get alerts the first few times an IP is used. Service Control Policy and IAM policy can be used to restrict what your users can do.

Tim

Posted 2019-06-26T21:02:49.483

Reputation: 529

"Home IP addresses tend to be static". Did you mean dynamic? – VL-80 – 2019-06-26T22:54:56.760

Thanks, typo corrected – Tim – 2019-06-26T23:36:15.623

Asked: 2019-06-26T21:02:49.483

Viewed: 39 times

Active: 2019-06-26T23:36:06.620