We are using Open VPN to give secure access to our remote team to access our EC2 instances hosted on AWS.
Usually we create one open VPN account for each team and give that account to the team. By default each account has access to complete network i.e. they can access all the ec2 instances. Is there a way that I restrict specific open vpn account to specific EC2-instances and ports?
You could create a Virtual LAN (VLAN) for the VPN users. Then you would configure the VPN router to deny access to specific ports/IP addresses/domain. You could also configured the EC2 instance to allow access based on the users IP address:
"IpAddress": { "aws:SourceIp": "xxx.xxx.xxx.xxx/24" }
Found that here: http://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/Resource-level-Permissions-for-EC2-Controlling-Management-Access-on-Specific-In
Hope this helps.
