Wednesday, April 11, 2018

Managing SSH Whitelists on AWS with awswl

If you have EC2 instances on AWS,  it is common for them to be layered behind firewalls implemented with VPC Security Groups. That means that if you need to access these servers directly, you may not be able to unless you take measures to make that happen.

In an enterprise AWS account, there are lots of good solutions to this problem. Firstly, if you are far enough down the containerization path, you may argue that directly accessing the instances via SSH  is to be avoided, that you should only be building and deploying containers.  Alternately, if you do need to access these servers, you can likely do so with a VPN, either hardware or software.

However, for a smaller AWS account, like a small project or small business, these solutions may be more complicated than you desire. I find myself needing to access small AWS accounts from a variety of places, as I move around a fair bit meeting with clients and working, and I need to be able to access EC2 instances on AWS while I do, so I found myself wanting a tool that would allow me to quickly add and remove my current external IP address or particular networks (expressed through CIDR blocks) to an AWS security group.

So I built a little open-source tool. Since the most-popular AWS client library is boto, and since python is a reasonable choice for a simple cross-platform cli tool, I built it in Python. I called it awswl (aws whitelist) and I've been refining it, adding tests, documentation, making sure it works with both python2 and python3.  Now it's finally ready to release to the wild.

You can find it on pypi if you want to install it, on GitHub if you want to read the source or contribute, and you can browse the documentation on either one.

No comments:

Post a Comment