• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

AWS Security: Unprotected applications in VPC

 
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Dylan,

In the enterprise that I work in we have a number of services (applications) that are only accessible in VPC. A lot of these services don't have any security. Architects and team leads say that it is secure enough because no one from outside has access to these apps.
Do you agree with this statement or do you think that these apps should have at least basic internal security (for example, JWT or API key)?
 
Author
Posts: 9
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey Al,

This conversation comes up all the time!

My opinion here is that generally you should still be securing internal applications, even if they're only accessible within a private network. People make mistakes all the time in configuring networks, and it can be pretty easy to mess up a firewall rule, or place an application in the wrong subnet, or add an internet gateway or peering link in the wrong place. And then your applications are exposed. Having some basic authentication/authorization checks in your internal applications can give you a second level of defense in the case that your application is inadvertently exposed, or an attacker finds a way into your network.

Additionally, if you have multiple applications running in the same VPC, there's a blast radius issue. If one application is compromised, an attacker could leverage the position of that application on the network to compromise the rest of the unsecured applications.

There are also potential insider threat concerns, though that depends on the nature of the applications and what kind of access insiders have.

Dylan
 
Al Razor
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Dylan Shields wrote:Hey Al,

This conversation comes up all the time!

My opinion here is that generally you should still be securing internal applications, even if they're only accessible within a private network. People make mistakes all the time in configuring networks, and it can be pretty easy to mess up a firewall rule, or place an application in the wrong subnet, or add an internet gateway or peering link in the wrong place. And then your applications are exposed. Having some basic authentication/authorization checks in your internal applications can give you a second level of defense in the case that your application is inadvertently exposed, or an attacker finds a way into your network.

Additionally, if you have multiple applications running in the same VPC, there's a blast radius issue. If one application is compromised, an attacker could leverage the position of that application on the network to compromise the rest of the unsecured applications.

There are also potential insider threat concerns, though that depends on the nature of the applications and what kind of access insiders have.

Dylan



Thank you, Dylan!
Then it will require some additional discussion.
 
Humans and their filthy friendship brings nothing but trouble. My only solace is this tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic