Update Security Groups Automatically Using AWS Lambda
SPL-149 Version 1.3.5
© 2021 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.
Corrections, feedback, or other questions? Contact us at AWS Training and Certification.
Security is a top priority for Amazon Web Services (AWS). AWS provides many tools and services to meet your unique security needs. This lab presents a solution (one of many) to enhance your security. The lab walks you through a method to automatically update your Amazon Virtual Private Cloud (Amazon VPC) security groups to only allow access from Amazon CloudFront and AWS WAF. Defining security group rules this way prevents malicious requests from bypassing AWS WAF security rules and accessing your Amazon Elastic Compute Cloud (Amazon EC2) instances directly.
To only allow traffic that originates from the CloudFront and AWS WAF IP range, you need to be informed of AWS IP changes. AWS notifies users of service IP changes through a public Amazon Simple Notification Service (Amazon SNS) topic that gives service IP ranges in JSON format. Using the integration between Amazon SNS and AWS Lambda, this lab demonstrates a way to automatically update security groups with these new IPs.
After completing this lab, you should be able to:
- Create Amazon VPC security groups
- Create an AWS Identity and Access Management (IAM) policy
- Create an AWS Lambda function
- Test a Lambda function with sample events
- Subscribe the Lambda function to an Amazon SNS topic
Technical Knowledge Prerequisites
This lab is intended for AWS learners. To successfully complete this lab, you should be familiar with AWS services including Amazon EC2, Amazon VPC security groups, IAM roles and policies, and Amazon SNS. You should be comfortable logging in to and using the AWS Management Console.
Join Qwiklabs to read the rest of this lab...and more!
- Get temporary access to the Amazon Web Services Console.
- Over 200 labs from beginner to advanced levels.
- Bite-sized so you can learn at your own pace.