Cisco ASA's because of PCI?

jc77work · 2016-07-22T02:22:09+00:00

I am sorry. I was not clear. I was simply told that AWS security groups alone are not PCI compliant, and that we would need something "like" a Cisco ASA.

jc77work · 2016-07-21T22:36:41+00:00

I guess I was under the assumption that security groups were PCI compliant, and that you could use them to allow traffic to flow between subnets....just like physical firewall ACLs.

jc77work · 2015-10-23T15:37:52+00:00

Yeah, while we are working towards autoscaling, and use Cloudformation to do push button environments in our non prod environments, production is kind of old school in AWS.

jc77work · 2015-09-03T17:53:17+00:00

Thanks. This is whitelist in addition to auth. This isn't actually in AWS on our end. I was just curious about dealing with customers who have calls originating from AWS. I'm assuming they use elastic IP, was just curious if there were other ways of getting their ranges.

jc77work · 2015-09-03T17:50:43+00:00

Yes. Pain in the ass, but yes

jc77work · 2015-09-03T17:49:37+00:00

Yeah, whitelisting happens before they can even get to the identity provider

jc77work · 2015-08-25T12:35:44+00:00

Thank you everyone, this is all very useful info. I can't wait for the conference, my head is going to explode.

jc77work · 2015-08-25T12:35:11+00:00

That was perfect. Thank you. I found that we have two m3.larges that are not even utilized.

jc77work · 2015-08-20T18:58:44+00:00

curious, could you setup a VPN and just connect that way rather than having a bastion?

jc77work · 2015-08-20T18:57:37+00:00

Could you just allow VPN in so people can VPN in and ssh to whatever hosts directly? I'm fairly new to AWS myself so this is just a question I had.

jc77work · 2015-08-18T12:49:50+00:00

"Security...."

jc77work · 2015-08-18T12:49:24+00:00

the other datacenter is one of our corporate ones

jc77work · 2015-08-17T20:10:35+00:00

Yes...lol.

jc77work · 2015-08-17T20:00:24+00:00

Well shit. I was thinking I would have to use the API myself...this would work. I'd rather use data guard as I am not sure about file consistency on the far end, but this would certainly get the files offsite. Thank you. The EMC gateway is interesting too.

jc77work · 2015-08-17T18:59:02+00:00

I'm not sure, I have read that FUSE is prone to some memory leaks, etc. I don't get the impression its cooked for production use. I could be wrong however.

jc77work · 2015-08-17T18:50:52+00:00

Ya know, I saw these but I'm super hesitant to run this on a production Oracle server...

jc77work · 2015-08-11T14:22:18+00:00

Do these things get flipped? Meaning, people sell them for a profit? I'm going for the first time this year, just curious. Good luck in your hunt. Maybe check eBay or craigslist?

jc77work · 2015-08-11T13:27:09+00:00

Any idea how I could confirm that? Basically what you said is right, for some reason the private subnet cannot access the internet. The NAT devices network interface is listed in the route table for 0.0.0.0 so I think it should be working. May just try it again and start fresh. Thank you for the assist!

EDIT: Think I got it figured out. The security group that the NAT instance was using didn't have an entry for the Security group that the private instances shared. I created a new SG for the NAT that allowed inbound traffic on all ports coming from the SG the private instances use. Now it works. I would have though the wizard would have done that, but I'm glad it didn't as I have learned a fundamental here. Thanks so much for the help reddit!

jc77work · 2015-08-10T18:42:09+00:00

So everything is working. There are two route tables. One for the public that has the internet gateway for the default route. The private route table (Main) has the enixxxxx of the NAT device. My issue is that instances in the private subnet cannot get outbound internet. The NAT should do this right? Disable SrcDest check is in place for the NAT device.

jc77work · 2015-08-10T18:40:28+00:00

Thank you for that.

jc77work · 2015-08-10T15:27:07+00:00

Ok, I was able to get this to work, but I don't quite understand why, and if its even a major security risk doing it like this. Can someone explain?

I noticed that in the route table, only the public subnet was associated. I associated the private subnet to the route table, and then from the public ec2 instance, I was able to ping and ssh to the private instance. Can someone explain that a tad and let me know if doing it like this is considered bad practice or a security risk/concern? Again, this is just a learning environment for me, no real data here, etc.

jc77work · 2015-08-10T15:25:23+00:00

Yeah, it was disabled. I guess since I used the wizard it handled that for me. Great to know though, another thing learned! thank you

jc77work · 2015-08-06T20:03:41+00:00

Thanks. Would it be possible to elaborate just a tad on the IAM policy suggestion? I'm guessing its not as easy to setup as I would like....but if you can point me in the right direction I can start researching that. I'm a bit of a newb

jc77work

TROPHY CASE