RSInfoMinds

  Amazon Web Services (AWS) Web Application Firewall (WAF) is a security tool that protects web applications from attacks. WAF allows users to configure rules that allow, block, or monitor web requests based on conditions defined by the user.  WAF can filter web traffic by creating rules based on conditions like IP addresses, HTTP headers and body, or custom URIs.  WAF can also monitor an application's login page for unauthorized access to user accounts. WAF is different from a standard firewall, which provides a barrier between external and internal network traffic.  A WAF sits between external users and web applications to analyze all HTTP communication. I already have a website running on an EC2 instance and accessible via ALB. I am going to create a WAF rule to deny accessing the page from the country USA. Adding ALB as the resource to AWS WAF: Creating a rule: I am going to respond with the error code "400" and custom response. We are done creating WAF rule. L...

  In this post, We will see what is a VPC flow log and how to capture the same for an EC2 instance. VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.  Flow log data can be published to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose. After you create a flow log, you can retrieve and view the flow log records in the log group, bucket, or delivery stream that you configured. I have an EC2 instance running HTTP delivering static content on port 80. Next, I am going to create a cloud watch log group which will be the destination for VPC flow logs. Next, we need to create an IAM role to allow the VPC flow log service to create log stream and we attach that IAM role to the flow log service while capturing VPC flow logs. We are done with creating an IAM role with the required policy. Let’s proceed with VPC flow log capture.   Select the EC2 network...

  In this post, We will see how to create a KMS key and use that key to encrypt the S3 bucket. We will see what happens when uploading an object without the key, with default encryption key, and with the KMS key which we created. Let's create a KMS key. Now that we have the key. Let's use that key for S3 bucket encryption. Now that we have a bucket. Updating bucket policy as below and trying to upload the object. The above policy will deny uploading to the S3 when the Server Side Encryption is not "AES256". I am trying to upload with the default S3 encryption key and it fails. So, We are using AWS KMS. To upload the objects using customer KMS we need to upload the policy as below. Let's upload again. It works.

  A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS Private Link.  Amazon VPC  instances do not require public IP addresses to communicate with the resources of the service.   A VPC endpoint enables  connections between a virtual private cloud (VPC) and supported services ,  without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.  We will create two subnets Public and Private. We will test the S3 bucket access from both the subnets. Since the public subnet is connected to the Internet Gateway we should be able to access the S3 buckets from the EC2 instances launched in the Public Subnet. We will try to access the s3 bucket from the Private Subnet. Now, We will create a VPC Endpoint - S3. Next, We need to select the VPC. I created a VPC called "DemoVPC" with Public and Private Subnets. Next is the important...

  In this post, We will see what is an AWS Transit Gateway. In the last post, we saw about VPC peering. One of the major problems with VPC peering is creating a peering connection as VPC's grows. Imagine you have 3 VPC's A, B and C with peering as A -> B and B -> C. You cannot connect from VPC-C to VPC-A via VPC-B. This problem is addressed via Transit Gateway. This is like a typical L3 Router where it learns about the network(VPC) it is associated with and updates the route table accordingly. We have 2 VPC's. VPC1 - 10.0.0.0/16 -> Subnet -> 10.0.1.0/24 VPC2 - 198.0.0.0/16  -> Subnet -> 198.0.1.0/24 I have created two Internet Gateways and attached them to VPC1 and VPC2. Updated the routing table of VPC1 to reach 0.0.0.0/0 via Internet Gateway1 and VPC2 to reach 0.0.0.0/0 via Internet Gateway2. The above discussed are basic steps. So, I am going to proceed with creating a Transit Gateway. Once TGW(Transit Gateway) is created. Proceed to create a TGW attac...