Reputation: 7786
Downside of using public subnet with strict whitelisting vs using private subnet for AWS cloud resources
AWS recommends using private subnets for private resources.
Use private subnets for your instances if they should not be accessed directly from the internet. Use a bastion host or NAT gateway for internet access from an instance in a private subnet.
However, I want to understand the rationale on how is this better on putting the resource, lets say an EC2 instance on a public subnet. Then add some very strict security group to prevent public access. How is this the less secure approach? Or is it technically the same outcome security wise?
Upvotes: 3
Views: 451
Answers (1)
Reputation: 4516
I've never heard of a security group failing, so if you properly configure your security group with a restricted list of IP addresses/ports, you should be secure.
BUT
In a typical cloud-deployed application, you do not have or want strictly-controlled access. Instead, the typical cloud-deployed application is a web-app that exposes port 80 to the world.
And once you expose any port to the world, your security is entirely dependent on what is listening to that port. Do you have a vulnerability in your web-server? You've now given your attacker the ability to access resources inside your network. If your server has AWS access keys, then the attacker has them as well.
The goal of putting your servers in a private subnet, with a load balancer in front of them, is to reduce your attack surface. It's presumably less likely that attackers will be able to find an exploit in an ALB (versus Apache, nginx, or whatever you're using), and presumably more likely that AWS will be able to mitigate any such exploit faster than you can (because they don't need to wait for patches to become available from an external maintainer).
Of course, the code you wrote could have an exploit that's triggered from a standard HTTP(S) request. However, even in this case, you can reduce blast radius by controlling what your application can access. An instance with a public IP can access anything on the Internet unless you strictly control the egress rules in its security group. In a private subnet, it can only access stuff within the VPC.
So, ultimately, it's a matter of simplicity: yes, you can craft a secure environment where every host is on the Internet. That was, in fact, the way that AWS worked prior to the introduction of VPCs. But it's easier to rely on the VPC to provide a base level of security (just like, in non-cloud deployments, you rely on the corporate firewall to provide a base level of security).
Upvotes: 2
Related Questions
- Why do AWS recommend public and private subnets with a nat gateway?
- Public/Private Subnet Architecture on AWS
- AWS - Are security groups enough or is there a need for private and public subnets?
- AWS RDS "Publicly Accessible = No" vs instance in private subnet
- How safe is to use public subnet?
- When to use Public Subnet vs Private Subnet?
- Amazon EC2: instace in public subnetwork without public IP vs instance in private subnetwork
- Best practice to restrict unauthorized users from accessing instances inside private subnet
- AWS private subnet security group egress whitelist for AWS services?
- What are the reasons to use private subnet in aws vpc?