Skip to content

Using a Jump Box to Limit Access to your AWS Environment

jumping pug

Introduction

A core principle of data security is limiting exposure to the minimum possible footprint to get the job done. Allowing Remote Desktop Protocol (RDP) access from anywhere is in conflict with this principle. RDP access to your environment can be limited to one port on one host* by using a jump box (also known as a bastion host). From the jump box you can access any other resources you need.

*Not accounting for high availability

Prerequisites

  • Understanding of public and private VPCs
  • Basic knowledge of EC2
  • Windows administration experience

Solution

Consider the following environment. There are four IIS servers in a VPC. To manage them, RDP access is needed.. Here is the current architecture:

network diagram showing RDP open to the Internemt
RDP is open to the whole world

The following Security Group is set up. It allows open access to the world for HTTP and HTTPS, which as a web server is fine. It is also open to the world for RDP, which is not fine. Port 3389 is a management port that can be compromised (see https://www.bleepingcomputer.com/news/security/windows-remote-desktop-services-used-for-fileless-malware-attacks/ and https://www.infosecurity-magazine.com/news/malicious-rdp-behavior-detected/ for just a few examples).

Security Group showing RDP open to 0.0.0.0/0.

The first step is to create a new Windows server. Most of the instance launch process is pretty basic, however, we want to create a new security group which I have named “RDP Jump Box” and allows RDP from anywhere.

Once this server is up and running, we can change the IIS security group to restrict RDP access from only the jump box.

You can add one additional security enhancement . Right now the jump box is open on the internet. Change the RDP Jump Box security group to only allow connections only from certain IP address or address ranges. To find out what your current external IP address is, you can just google “what is my IP” and google will tell you. Then you can restrict RDP to that address or range. Once that is done, your network diagram looks like that shown below. Note that ports 80 and 443 are still open to the world, but those ports are required for the web servers.

network diagram showing restricted RDP access.

Summary

Security is the second of AWS’ Five Pillars of the AWS Well-Architected Framework. A core tenant of network security is to minimize your potential attack vectors. Limiting the access for RDP to the absolute minumum is one step towards this goal.

Leave a Reply

Your email address will not be published. Required fields are marked *