Step 4 - Limit Network Access

In this exercise we will use AWS Trusted Advisor’s basic security checks to identify remote access risks associated with the EC2 instance and fix them. Furthermore, we will use AWS Systems Manager’s feature to secure our remote access.

Note: For this lab, it is assumed that Microsoft Windows based EC2 instance is already created with default settings. For instructions to create EC2 Instance please follow the link.

  1. From the AWS console, click Services and select Trusted Advisor.

  2. On the Trusted Advisor console click on Refresh All icon on the right side as shown below.

remaccess_01.png

  1. You will notice that there are few risks identified by Trusted Advisor. Click on Security tab. You will notice findings for security groups about open network access. Now let’s fix these issues.

remaccess_02.png

  1. Click on one of the findings, which expand with more details. You will also see the list of security group names that have this particular security issue. Click on the Security Group Name in the list. It will open a Security Group console on a new browser tab.

remaccess_03.png

  1. On Security Groups page, click on the Inbound rules. You will notice that there is one rule allowing open access to port 3389 from the internet, which is not a good practice. Therefore, we need to remove this rule.

remaccess_04.png

  1. Click on Edit inbound rules.

  2. Click Delete associated with the open port of 3389. Click Save rules, which will remove the rule permanently.

remaccess_05.png

  1. Now go back to Trusted Advisor tab and click on the Refresh this check icon associated with the security risk.
  2. Trusted Advisor will re-run the check and will show green once it finds that the issue is fixed.

remaccess_06.png

  1. Now to access the EC2 instance securely, we will be using AWS System’s Manager capability called Session Manager.

  2. From the AWS console, click Services and select Systems Manager.

  3. Click on Fleet Manager under Node Management on the menu at the left side of Systems Manager console.

  4. Click on Get Started.

  5. You will see your instance(s) listed which are managed by Systems Manager.

remaccess_07.png

  1. Click on the Settings tab.

  2. Click on Change account setting button in order to use an Advanced Instance Tier which allows you to use Session Manager capability.

  3. Accept the changes by clicking on the checkbox and click on Change setting.

  4. Click on Session Manager under Node Management on the menu at the left side of Systems Manager console.

  5. Click on Start Session on upper right.

  6. Select the instance that you want to have access and then click Start session.

remaccess_08.png

  1. A new tab will be opened and you will have the Microsoft Windows command prompt or Linux terminal window.

remaccess_09.png

  1. To exit the session simply use relevant OS command or click Terminate on upper right side of the page.

For more information please read the AWS User Guide: https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html