AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Notebook Direct Internet Access
More Info:
Ensure that Amazon SageMaker notebook instances are not publicly accessible.
Risk Level
Medium
Address
Cost optimization, Operational Maturity, Security
Compliance Standards
GDPR, HITRUST, SOC2
Triage and Remediation
Remediation
To remediate the misconfiguration of Notebook Direct Internet Access for AWS DynamoDB using the AWS console, follow these steps:
-
Access AWS Management Console: Go to the AWS Management Console at https://aws.amazon.com/ and log in with your credentials.
-
Navigate to DynamoDB: Click on the “Services” dropdown menu at the top of the page and select “DynamoDB” under the “Database” category.
-
Select the DynamoDB Table: In the DynamoDB dashboard, select the table that you want to remediate the direct internet access for.
-
Update Table VPC Settings:
- In the table details page, click on the “Overview” tab.
- Under the “VPC Settings” section, click on the “Edit” button.
-
Modify VPC Configuration:
- In the VPC configuration window, select the appropriate VPC from the dropdown menu.
- Choose the desired security group that allows access to the DynamoDB table.
- Ensure that the selected security group allows access only from trusted sources and restricts direct internet access.
-
Save Changes: After updating the VPC settings and security group, click on the “Save” button to apply the changes.
-
Verify Configuration:
- Once the changes are saved, verify that the DynamoDB table no longer has direct internet access.
- Test the access to the DynamoDB table from authorized sources within the VPC.
By following these steps, you can remediate the misconfiguration of Notebook Direct Internet Access for AWS DynamoDB using the AWS Management Console.
To remediate the misconfiguration of allowing direct internet access to an AWS DynamoDB table, you can follow these steps using the AWS CLI:
-
Update the VPC Security Group:
- Identify the VPC security group associated with the DynamoDB table.
- Modify the inbound and outbound rules of the security group to restrict access only to trusted sources, such as specific IP addresses or other AWS resources within the VPC.
-
Deny Internet Access:
- Update the security group rules to deny inbound traffic from 0.0.0.0/0 (internet) to the DynamoDB table’s port (default is 443 for DynamoDB).
- Update the outbound rules to deny traffic from the DynamoDB table to the internet.
-
Verify Changes:
- Use the AWS CLI to describe the security group associated with the DynamoDB table to verify that the changes have been applied successfully.
-
Example AWS CLI Commands:
-
To describe the security group:
aws ec2 describe-security-groups --group-ids <security-group-id> -
To update the inbound rules to deny internet access:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 443 --cidr 0.0.0.0/0 -
To update the outbound rules to deny internet access:
aws ec2 revoke-security-group-egress --group-id <security-group-id> --protocol tcp --port 443 --cidr 0.0.0.0/0
-
-
Monitor and Test:
- Monitor the DynamoDB table access logs and test the application to ensure that it is functioning correctly after the changes.
By following these steps and using the AWS CLI commands provided, you can remediate the misconfiguration of allowing direct internet access to an AWS DynamoDB table.
To remediate the misconfiguration of allowing direct internet access to an AWS DynamoDB table using Python, you can follow these steps:
Step 1: Update the AWS Security Group associated with the DynamoDB table to restrict access only to specific IP addresses or VPC endpoints.
Step 2: Use the AWS SDK for Python (Boto3) to modify the security group settings. Here’s a sample Python code snippet to update the security group:
import boto3
# Initialize the DynamoDB client
client = boto3.client('dynamodb')
# Specify the security group ID associated with the DynamoDB table
security_group_id = 'your_security_group_id'
# Specify the rules to allow access only from specific IP addresses or VPC endpoints
ip_permissions = [
{
'IpProtocol': 'tcp',
'FromPort': 0,
'ToPort': 65535,
'IpRanges': [
{
'CidrIp': 'your_allowed_ip_range'
}
]
}
]
# Update the security group with the new rules
response = client.authorize_security_group_ingress(
GroupId=security_group_id,
IpPermissions=ip_permissions
)
print(response)
Replace your_security_group_id with the actual security group ID associated with the DynamoDB table and your_allowed_ip_range with the specific IP address range that should have access to the DynamoDB table.
Step 3: Run the Python script to update the security group settings and restrict access to the DynamoDB table.
By following these steps and running the Python script, you can remediate the misconfiguration of allowing direct internet access to an AWS DynamoDB table by restricting access to specific IP addresses or VPC endpoints.