AWS Pro-Tips: SSL Certificates & Bastion Security

Transcript

1. AWS Pro-Tips SSL Certificates & Bastion Security

2. SSL Certificates

3. Standard Process 1. Purchase SSL Certificate from Certificate Authority 2.

   CA conducts verification process 3. Generate a CSR and private key 4. Download certificate 5. Install certificate on server

4. Certificate Types & Levels • Single Domain
 dialexa.com • Wildcard


   *.dialexa.com • Multiple Domain (SAN)
 dialexa.com
 www.dialexa.com • Domain Validation • Organization Validation • Extended Validation

5. AWS Certificate Manager Free SSL Certificates

6. AWS Certificate Manager • Free and easy! • AWS is

   recognized Certificate Authority • Single, Wildcard, and Multiple Domain Certificates (Domain Validation) • Fast verification via email confirmation

7. AWS Certificate Manager • Domain verifications emails only sent to:

   • WHOIS record email address • administrator@your_domain • hostmaster@your_domain • postmaster@your_domain • webmaster@your_domain • admin@your_domain • Only able to be used with AWS • Elastic Load Balancer • CloudFront • Elastic Beanstalk (via workaround…not officially supported)

8. AWS Certificate Manager

9. AWS Certificate Manager

10. Additional Resources: SSL Certificates • AWS Certificate Manager
 https://aws.amazon.com/certificate-manager •

    AWS Certificate Manager + Elastic Beanstalk
 https://medium.com/@arcdigital/enabling-ssl-via-aws-certificate- manager-on-elastic-beanstalk-b953571ef4f8 • How to Install an SSL Certificate
 https://www.digitalocean.com/community/tutorials/how-to-install- an-ssl-certificate-from-a-commercial-certificate-authority

11. Bastion Security

12. bastion noun an institution, place, or person strongly defending or

    upholding particular principles, attitudes, or activities

13. bastion server noun A bastion is a special purpose server

    instance that is designed to be the primary access point from the internet and acts as a proxy to your other instances.

14. Best Practices • Only use the bastion server for SSH

    access • Restrict access to known IP addresses • Do not store the master key pair (pem) on bastion • Instead, grant access to servers using individual SSH keys • Enable SSH Forwarding when connecting to bastion

15. SSH Forwarding

16. SSH Forwarding $ ssh -A user@bastion Host bastion Hostname 0.0.0.0

    User username ForwardAgent yes Host private1 Hostname 10.0.0.1 User username ProxyCommand ssh bastion -W %h:%p ~/.ssh/config Enable agent forwarding inline

17. SSH Forwarding Successful connection (with agent forwarding) to 1st server

18. SSH Forwarding SSH request to 2nd server

19. SSH Forwarding 2nd server checks authorized_keys and sends key challenge

20. SSH Forwarding 1st server forwards key challenge to originating host

21. SSH Forwarding Originating host sends key response to 1st server,

    
 who then forwards it to 2nd server

22. SSH Forwarding 2nd server grants access!

23. SSH Keys Retrieve user’s public keys from GitHub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDwof5GF+86suEtuGmdqlIfINE6ya7Y/WVHJtIhaCU2w5zLzTlnNwr1D+s1w+PTcz0aM3/qw673bp

    +Qn69X3wOipV/vtFHqmL+WCPE4fmklSRonLQEmWQNPCkOywQXD+GtLtIZUy8mM1nh0K2qlEeQCk7uVUcdHrb6ZSFmt4ZbNGuJRYtA0oLw5R +DjrZaDmncTXEVqigPBHHf6hazj0BCTlsFLY66haZNf8YNbSOe7GjQ5aTwQcgjv519fB6e0AnmtprOmJAVw0JHt9AAUHsYPTZTMSscT/ G02oFn3+22YXDjQOpBS/R9QjkltgcnuacIrhIeA5K0UEy8GOMMg30IV https://github.com/galenandrew.keys NPM module to easily fetch user’s public keys from GitHub $ github-ssh-keys --format galenandrew >> authorized_keys

24. Additional Resources: SSH and Bastion • An Illustrated Guide to

    SSH Agent Forwarding
 http://www.unixwiz.net/techtips/ssh-agent-forwarding.html • Using an SSH Bastion Host
 http://blog.scottlowe.org/2015/11/21/using-ssh-bastion-host/ • Utility to fetch GitHub SSH Keys by User
 https://www.npmjs.com/package/github-ssh-keys

25. Thank you!