AWS Pro-Tips: SSL Certificates & Bastion Security

AWS Pro-Tips: SSL Certificates & Bastion Security

F77c2737b0ec6c9f3a388881f7e78afc?s=128

Andrew Turner

March 30, 2016
Tweet

Transcript

  1. AWS Pro-Tips SSL Certificates & Bastion Security

  2. SSL Certificates

  3. Standard Process 1. Purchase SSL Certificate from Certificate Authority 2.

    CA conducts verification process 3. Generate a CSR and private key 4. Download certificate 5. Install certificate on server
  4. Certificate Types & Levels • Single Domain
 dialexa.com • Wildcard


    *.dialexa.com • Multiple Domain (SAN)
 dialexa.com
 www.dialexa.com • Domain Validation • Organization Validation • Extended Validation
  5. AWS Certificate Manager Free SSL Certificates

  6. AWS Certificate Manager • Free and easy! • AWS is

    recognized Certificate Authority • Single, Wildcard, and Multiple Domain Certificates (Domain Validation) • Fast verification via email confirmation
  7. AWS Certificate Manager • Domain verifications emails only sent to:

    • WHOIS record email address • administrator@your_domain • hostmaster@your_domain • postmaster@your_domain • webmaster@your_domain • admin@your_domain • Only able to be used with AWS • Elastic Load Balancer • CloudFront • Elastic Beanstalk (via workaround…not officially supported)
  8. AWS Certificate Manager

  9. AWS Certificate Manager

  10. Additional Resources: SSL Certificates • AWS Certificate Manager
 https://aws.amazon.com/certificate-manager •

    AWS Certificate Manager + Elastic Beanstalk
 https://medium.com/@arcdigital/enabling-ssl-via-aws-certificate- manager-on-elastic-beanstalk-b953571ef4f8 • How to Install an SSL Certificate
 https://www.digitalocean.com/community/tutorials/how-to-install- an-ssl-certificate-from-a-commercial-certificate-authority
  11. Bastion Security

  12. bastion noun an institution, place, or person strongly defending or

    upholding particular principles, attitudes, or activities
  13. bastion server noun A bastion is a special purpose server

    instance that is designed to be the primary access point from the internet and acts as a proxy to your other instances.
  14. Best Practices • Only use the bastion server for SSH

    access • Restrict access to known IP addresses • Do not store the master key pair (pem) on bastion • Instead, grant access to servers using individual SSH keys • Enable SSH Forwarding when connecting to bastion
  15. SSH Forwarding

  16. SSH Forwarding $ ssh -A user@bastion Host bastion Hostname 0.0.0.0

    User username ForwardAgent yes Host private1 Hostname 10.0.0.1 User username ProxyCommand ssh bastion -W %h:%p ~/.ssh/config Enable agent forwarding inline
  17. SSH Forwarding Successful connection (with agent forwarding) to 1st server

  18. SSH Forwarding SSH request to 2nd server

  19. SSH Forwarding 2nd server checks authorized_keys and sends key challenge

  20. SSH Forwarding 1st server forwards key challenge to originating host

  21. SSH Forwarding Originating host sends key response to 1st server,

    
 who then forwards it to 2nd server
  22. SSH Forwarding 2nd server grants access!

  23. SSH Keys Retrieve user’s public keys from GitHub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDwof5GF+86suEtuGmdqlIfINE6ya7Y/WVHJtIhaCU2w5zLzTlnNwr1D+s1w+PTcz0aM3/qw673bp

    +Qn69X3wOipV/vtFHqmL+WCPE4fmklSRonLQEmWQNPCkOywQXD+GtLtIZUy8mM1nh0K2qlEeQCk7uVUcdHrb6ZSFmt4ZbNGuJRYtA0oLw5R +DjrZaDmncTXEVqigPBHHf6hazj0BCTlsFLY66haZNf8YNbSOe7GjQ5aTwQcgjv519fB6e0AnmtprOmJAVw0JHt9AAUHsYPTZTMSscT/ G02oFn3+22YXDjQOpBS/R9QjkltgcnuacIrhIeA5K0UEy8GOMMg30IV https://github.com/galenandrew.keys NPM module to easily fetch user’s public keys from GitHub $ github-ssh-keys --format galenandrew >> authorized_keys
  24. Additional Resources: SSH and Bastion • An Illustrated Guide to

    SSH Agent Forwarding
 http://www.unixwiz.net/techtips/ssh-agent-forwarding.html • Using an SSH Bastion Host
 http://blog.scottlowe.org/2015/11/21/using-ssh-bastion-host/ • Utility to fetch GitHub SSH Keys by User
 https://www.npmjs.com/package/github-ssh-keys
  25. Thank you!