0

I want to secure outgoing RDP connections from my AWS machines. When connecting from our company network to a machine running in a VPC via RDP all my company network drives (available on the machine within my company network) are mapped to the EC2 machine in the VPC. If I understand this correctly this means you can access files on our company servers coming from AWS. As the machines we use in AWS are self-administered this is a security problem.

I hope my problem is clear…

How could I prevent this access coming from the AWS network?

user3347232
  • 407
  • 1
  • 7
  • 16
  • 1
    Do you want to block rdp access from office servers? If so, you should use security groups and remove the rdp rule from it. – Onur Salk Jun 11 '15 at 07:02
  • I think its the other way around: I want to block RDP access from ec2 servers to my local network. "Things that happen in AWS should stay in AWS." I only want to control and see what is happening on the ec2 machines. – user3347232 Jun 11 '15 at 10:09

2 Answers2

1

Firstly, I would recommend that you use the correct tool for the job rather than a DIY solution. If I understand your problem correctly then AWS Storage Gateway is specifically designed for what you are trying to achieve.

Regarding blocking RDP access, you could simply add a firewall policy to the Security Group corresponding to the EC2 instances to block port 3389. You can also specify IP addresses/blocks of addresses to allow.

John Wheal
  • 9,908
  • 6
  • 29
  • 39
  • The thing is that I want to block access from the cloud to my local drives. A firewall policy would not do the job in my eyes. As users with administrator access to the windows machines could change the RDO port. – user3347232 Jun 11 '15 at 10:08
  • @user3347232 You can set outbound firewall rules in AWS. Alternatively set a firewall policy on your corporate/local network perimeter to block RDP traffic. If you don't want anyone to use RDP you could just turn it off. Is there a particular reason why you don't trust users with administrator access? – John Wheal Jun 11 '15 at 10:26
1

Network ACLs is what you want to configure to block specific outbound traffic from your VPC. They are stateless (separate rules for inbound/outbound) and apply to subnets within your VPC. Check out the following link for more detailed info:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html