Restrict access to VPC resources
Hi, In our current solution users connect with a VPN client and from there they have access to the entire VPC.
We have a new requirement which is that within that same VPC not all users have access to all the artifacts (EC2, DBs, etc.) in the VPC, but that each one has access according to the type of user / role they have (for example, the people who make reports and connect to the databases would only have access to the databases, administrators to everything, etc.)
Here is a proposal to implement the new requirement:
I have been checking [this] AWS solution where within the same VPC, users who connect to the endpoint only have access to the instance with security group B, since it allows incoming traffic from security group A.
Therefore, what we would like to do is that within the same VPC the artifacts are deployed in a different private subnet, where each subnet would be logically associated with each user role. Artifacts in a subnet will allow incoming traffic to the corresponding security group in the diagram.
From the point of view of connecting users to the client, it is proposed that each user can only connect to the endpoint that corresponds to their role.
I would like to know if this solution could be wrong according to the requirement or if AWS provides a more elegant solution to implement this requirement.
Thank you so much
- Newest
- Most votes
- Most comments
Your proposed solution is on the right track in terms of segregating access within a VPC based on user roles, using security groups and subnets. However, there are a few more elegant and scalable approaches provided by AWS to achieve fine-grained access control within your VPC:
-
AWS Identity and Access Management (IAM) Policies https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
-
AWS VPC Endpoint Policies https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
-
Security Groups and Network ACLs
-
AWS Resource Access Manager (RAM) RAM allows you to share resources between AWS accounts or within your organization without needing to create duplicate resources. https://aws.amazon.com/it/ram/
-
AWS Systems Manager Session Manager https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
Hi A_J and the experts who reviewed the answer. Thank you so much for your help.
I've found information about Authorization Rules.
What do you think about a solution in which a SAML (as an example Google) or Active Directory provider classifies users in groups according to their roles and then each group is authorized to access artifacts in a subnet by a different authorization rule? I think this solution would be more elegant and also we would only need one VPN client endpoint because it would define as many authorization rules as subnets there are.
Thank you so much
Relevant content
- asked 3 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
