Good afternoon! Today's article demonstrates a surprisingly easy way to tighten the network-layer permissions in an AWS VPC. (If you're in AWS but you're not in a VPC: 😡) Security Groups have ingress and egress rules (also called inbound and outbound rules). In most SGs, the egress rules allow all traffic to everywhere. You've probably seen … Continue reading Securing AWS Security Groups: Restricting Egress Rules
Category: AWS VPC
Beating AWS Security Groups
Today I'll show you how to pass traffic through an AWS Security Group that's configured not to allow that traffic. This isn't esoteric hacking, it's a detail in the difference between config and state that's easy to miss when you're operating an infrastructure. Like I showed in a previous post, AWS Security Groups are stateful. … Continue reading Beating AWS Security Groups
AWS Security Groups: Stateful Statelessness
Hello! Recently, I rediscovered a fiddly networking detail: although ICMP's ping is stateless, AWS security groups will pass return ping traffic even when only one direction is defined in their rules. I wanted to see this in action, so I built a lab. If you just asked, "Wat❓", keep reading. Skip to the next section if … Continue reading AWS Security Groups: Stateful Statelessness