13

After searching previous questions here, the general consensus seems to be if an instance that I own is assigned a private IP of 10.208.34.55, that only OTHER INSTANCES I OWN can reach it at that address. See:

How to encrypt traffic between two Amazon EC2 instances?

Is that correct? So I can treat all my instances as if they are on a LAN and authenticate and trust any machine coming from 10.XXX.XXX.XXX because I am sure I own it?

I just want to be sure. I'm finding that amazon seems to be rather more interested in waxing poetic about The Cloud and their 3-character abbreviations than actual providing clear technical documentation.

Community
  • 1
jberryman
  • 914
  • 2
  • 10
  • 25

3 Answers3

12

Amazon EC2 provides security groups which your instance is a part of, then this allows you to grant permissions to other groups of hosts on your account or other external hosts. See the [User Guide][1] -> Concepts -> Network security for a little overview.

Normally in the "default" security group you have full access to other members in the group (i.e. all of your other default hosts) and no external inbound access. Other hosts inside EC2 that are on other accounts, or on your account but not in the "default group will not be able to access your instance.

You can add rules for a security group to grant access to other security groups, or add rules to grant access to IP addresses/ranges.

To answer your question a bit more directly: so long as your security group rules only allow access from the same group, then your instances should be firewalled from access by any other customer, even though they share the same IP space.

[1]: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/ EC2 User Guide

Dominic Cleal
  • 3,160
  • 19
  • 16
1

Gareth - I assume both groups have the SSH port open, thus succesful SSH from one account to the other does not indicate your conclusion. The idea is simple - within a security group - all ports are open - outside access - is per your definition - and for that matter, another group in Amazon is just the same as external access.

-1

The answer is a resounding NO - I have multiple EC2 accounts, and just tried logging into one of my instances on account A from another instance on account B. I was able to SSH from B to A with no problems (other than needing the SSH key for account A).

You should assume that anybody on your 10.0.0.0/8 can access your instances, regradless of what EC2 account they are using.

gareth_bowles
  • 9,127
  • 9
  • 34
  • 42
  • 3
    What security permissions did you have on the instance? Nobody should be able to access your instance by default, but it's often recommended in tutorials to open up tcp/22 (SSH) to the world so you can access the machine. Use ElasticFox or "ec2-describe-group" to check the permissions for the security group you're launching the instance in ("default"?). You will probably see full access permitted from members of the same security group and probably global SSH access (which you must have added). – Dominic Cleal Oct 15 '09 at 08:14
  • You're right, I did enable global access for port 22 - that seemed secure since you still need the SSH keypair to access the instances. – gareth_bowles Oct 15 '09 at 17:05
  • Having it open does make you subject to attacks - meaning your SSH daemon has to listen to the requests coming in and it could lend itself to a Denial of Service attack. This is sometimes mitigated by adding something like fail2ban or some other monitor to the host to watch for failed logins and turn on instance firewall rules via iptables/ipfw. – cgseller Jul 06 '16 at 17:19