1

Our company is in the process to become PCI compliant and one of the requirement is to limit the outbound access of our servers. We have only 1 EC2 instance that falls in the PCI scope and I would like to limit outbound internet access to this instance to only the services needed.

Is there anyway to build that? Is a VPC the best option to do it?

Thanks a lot,

Elie

user3091702
  • 11
  • 2

2 Answers2

1

Consider the following:

  • Security Groups allow you to choose CIDR (ip range) and port. You can restrict outbound access at the Instance level.
  • Network ACLs allow you to do the same, but at the Subnet level.
  • You can place a firewall into your network or utilise your NAT device, to control outbound access. This can help with logging which may be a requirement for PCI compliance.
  • You could employ software firewalls, like iptables for linux which can also assist with logging requirements.
Drew Khoury
  • 4,637
  • 8
  • 27
  • 28
0

VPC gives you control of out going traffic via security group of that particular box. If "built that" means controlling access via code then I use python boto to do things programmatically.

APZ
  • 954
  • 2
  • 12
  • 25
  • Thanks for your quick reply. When I try to edit my security group in EC2 I can only see inbound traffic nothing for the outbound traffic – user3091702 Feb 15 '14 at 18:06
  • I updated my answer, please take a look again. – APZ Feb 15 '14 at 18:06
  • So if I want to restrict outbound access I have to use a VPC? – user3091702 Feb 15 '14 at 18:10
  • VPC allows you to control out bound access through security groups. If you want to control out bound traffic in EC2 I think you would have to use system level firewall ( I haven't used ec2 based system firewall myself) – APZ Feb 15 '14 at 18:26
  • Security Groups control both inbound and outbound access on an EC2. – Drew Khoury Feb 16 '14 at 05:50