Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Why do I have to add "All Traffic" & "0.0.0.0/0" when configuring an AWS ACL for Nat Access to AWS Cognito?

When I have my ACL’s Configured like this, My lambda is not able to send Admin SDK calls to Cognito.

But when I add "All Traffic" & "0.0.0.0/0" instead of 80 and 443 the. calls go through.
Is the SDK using more than 80 and 443 to make SDK calls to AWS Cognito?

My current config:
Public Subnet
Public Subnet
Public Subnet

Private Subnet
Private Subnet
Private Subnet

Security Group for the Lambda
Security Group for the Lambda
Security Group for the Lambda

I really would like to only allow the ports needed.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I'm not sure why the above poster is an "Reconized by AWS"...

    It looks like instead of allowing access to all ip ranges on your internal network. You can allow only needed ip ranges for specific AWS Resources. The Lambda needs the Epemeral Ports to connect, but only needs to. connect to the Resources Needed. https://docs.aws.amazon.com/vpc/latest/userguide/nacl-ephemeral-ports.html

    For me, I need to connect to AWS Cognito and Api Gateway. So, i'll allow access only to those IP Ranges. I'll have to look into whether the AWS Ip ranges change periodiclly. But, if they do then it souldnt be to hard to use the JSON to automate a process to update. https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html


  2. 0

    As a general rule, you should leave the Network ACLs configured at their default "Allow All" access.

    NACLs mirror the capability of physical-world routers. They control traffic that moves between subnets, just like real-world routers. NACL rules are ‘stateless’ meaning that rules need to be defined in both directions.

    These days, cloud services like AWS offer Security Groups. Security Groups are more capable than NACLs because they allow stateful connections that remember the original request and permit the response even if is not specifically defined in the rules. For example, if port 80 is open to incoming requests, then the security group will allow the response to be sent even if there is no explicit rule allowing the return traffic (which is convenient, because such requests come on a wide range of source ports).

    There should be very little need to use NACLs. They are typically only required when special security is required, such as when creating network DMZs. They are quite complex to get right since all ports must be specifically permitted in both directions.

    Bottom line: Leave the NACLs at their default ‘Allow All’ settings. Use Security Groups to control traffic.

    Bonus info: There is no need to assign Inbound Rules on the Security Group of a Lambda function. No externally-originated traffic goes ‘to’ a Lambda function. A Security Group will allow responses to come into the Lambda environment where a request was sent outwards from the Lambda function due to the stateful nature of the Security Group, so Inbound Rules are not needed and not used.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search