AWS Network Firewall is simply a fully managed service that can help clients protect their network security across their Amazon VPCs and can also act as an IDS/IPS for network flow inspection. Luckily, AWS announced the general availability of the AWS Network Firewall back in November 2020 and it was a game changer for such scenarios. Others relied on securing their network by only using Security Groups and Network Access Lists to block specific IP addresses and Ports. Previously, clients had to route their ingress and egress traffic through either their on-premises Firewalls or purchase a Firewall Appliance subscription from Amazon Marketplace to protect their network from Layer3 - Layer 7 attacks such as IP spoofing, viruses, worms, and trojans. Others prefer to conduct domain name filtering to limit and block specific Fully qualified domain names (FQDNs) from being accessed within their VPC. We have also seen cases where clients require network filtering on their WorkSpaces and AppStream Fleets due to compliance and regulatory reasons such as PCI DSS Requirement 11.4 which requires implementing intrusion detection and intrusion prevention systems. One of the open-source Radius software that can be used is FreeRadius.Įnforcing MFA for Amazon AppStream can only be achieved through configuring SAML 2.0 federation with your corporate directory. This approach will allow you to use authentication apps like Google Authenticator to first authenticate the username and password against your Active Directory and the Radius Server will be responsible to authenticate the One-Time Password (OTP) generated by Google Authenticator. In WorkSpaces, the only way to enable MFA is through a Radius server integrated either with an on-premises AD or an AWS Managed AD. Unfortunately, MFA is still not an "out of the box" option for those two services however I will list down some workarounds that can enable you to use multi-factor authentication. Limit access to AppStream using SAML-based authentication (AD FS, Azure AD, OKTA, etc.) This feature requires configuring the source IP-based filter policy using an inline policy on the SAML 2.0 federation IAM role.Īnother option would be using AWS PrivateLink endpoints and connecting to your AppStream Fleet through AWS VPN. This feature comes out of the box by Amazon WorkSpaces and is straightforward to use from the console directly. Limit access to the workspaces using the IP Access Control List functionality. However, some regulations require more and this is where we are going to discuss other topics that explain different ways to secure your Amazon AppStream and Amazon WorkSpaces environments.Īlthough API endpoints for Amazon AppStream and Amazon WorkSpaces just like many other AWS services (Amazon RDS, Amazon S3, Amazon Lambda) are public and can be accessible from the internet, you can still limit access to these services by IP Address using the following methods: Captcha Prompt to limit incorrect login attempts.Volume Encryption through AWS KMS integration.Network ACLs work as a Second Line of Defense.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |