0

My AWS infrastructure is publicly available here. Is this a security concern?

I was prompted to ask this following the Capital One breach and after learning about https://opensourceinfra.org/

PS 1: Please be nice and don't hack me if it is indeed insecure. I did my best in reviewing the repo for security breaches. I'm just posting this here for the sake of public knowledge and public good :)

PS 2: This question was originally posted on stackoverflow.com here. A user replied saying that EC2 instance ID and VPC-related info are sensitive, but I found this post saying it's safe to share EC2 instance IDs.

Edit: apparently I need to move this again to security.stackexchange.com here

Edit 2: I ended up moving the question to reddit where I got much more feedback.

Shadi
  • 121
  • 5
  • 1
    IMO this question is better suited for [security.se] – Gerald Schneider Aug 07 '19 at 12:28
  • Questions that generate mostly opinions are off topic here. – Ron Trunk Aug 07 '19 at 12:30
  • I moved my question from stackoverflow to here because I saw [this post](https://serverfault.com/questions/922164/is-it-safe-to-expose-an-aws-instance-id#922166). Also, you have a `security` tag here on serverfault too. – Shadi Aug 07 '19 at 12:31
  • The information here isn't *inherently* unsafe to share, but stuff like what instance type you're using may clue an attacker in to things like to the level of resources they'd need to DDoS you. If you're using a security system like Cloudflare's WAF, having the direct EC2 endpoints permits bypassing it. etc. etc. etc. – ceejayoz Aug 07 '19 at 13:34
  • In the case of the WAF example, the EC2 endpoint would already need to be protected with proper security group permissions, eg allowing access only from a certain IP. – Shadi Aug 07 '19 at 13:40
  • @shadi That's not necessarily feasible in the Cloudflare scenario. They have millions of IPs, and the IP ranges change at times. (It's also just an *example* of the sort of "safe" data that may have unexpected consequences. There may be other things in here specific to your setup (and potential mistakes made) that an attacker could leverage in a similar fashion.) – ceejayoz Aug 07 '19 at 13:48
  • I get your point. Potential mistakes made can also be present in open-source software. Over time, open-source libraries have matured enough that I can come in as a beginner developer, build something on top of an open-source project, and come out with something that is safe to deploy (as opposed to having no open-source libraries, coding everything from scratch, and making the same mistakes as everyone else) – Shadi Aug 07 '19 at 14:16
  • @shadi I'd be personally more inclined to share open-source CloudFormation (or some other configuration management system) scripts/configurations. More useful, and fewer specific details like instance IDs and IP addresses. – ceejayoz Aug 07 '19 at 15:30
  • That's true and would be preferable if available. I don't use CloudFormation for my personal account for example. Would you like to gather all your comments so far and put them in an answer to this post? – Shadi Aug 07 '19 at 16:22

0 Answers0