Good afternoon! Today's article demonstrates a surprisingly easy way to tighten the network-layer permissions in an AWS VPC. (If you're in AWS but you're not in a VPC: 😡) Security Groups have ingress and egress rules (also called inbound and outbound rules). In most SGs, the egress rules allow all traffic to everywhere. You've probably seen … Continue reading Securing AWS Security Groups: Restricting Egress Rules →

Today I'll show you how to pass traffic through an AWS Security Group that's configured not to allow that traffic. This isn't esoteric hacking, it's a detail in the difference between config and state that's easy to miss when you're operating an infrastructure. Like I showed in a previous post, AWS Security Groups are stateful. … Continue reading Beating AWS Security Groups →

Hello! Recently, I rediscovered a fiddly networking detail: although ICMP's ping is stateless, AWS security groups will pass return ping traffic even when only one direction is defined in their rules. I wanted to see this in action, so I built a lab. If you just asked, "Wat❓", keep reading. Skip to the next section if … Continue reading AWS Security Groups: Stateful Statelessness →