0

Usage :

We have an admin panel (web application) and their are around 10 admin who access this application, some of them access panel from home where they are using a dynamic ip.

Problem :

We do not want to allow https from all in security group but as all admins having dynamic ip we are unable to control inbound traffic by manually change in security group.

Solution Required :

A lambda function or other solution which have an endpoint(aws url) where admins, login with preset credentials which automatically whitelist their IP address for 9 hours in security group.

Additional :

Would be great if solution along with IAM policy for role.

Thanks

Community
  • 1
  • 1
Jay seen
  • 493
  • 4
  • 14
  • 1
    Rather than have them login to a system to add their IP address, when not add a login capability to the web application itself? That way, it is okay to be publicly accessible. – John Rotenstein Feb 26 '20 at 05:50
  • @john, Yes there is a login in admin panel but a business is less focused to secure admin panel as it double the timing and efforts in security. We use all security best practice along with pen testing but for public application which have dev, qa environment unlike admin-panel. :) – Jay seen Feb 26 '20 at 05:54
  • If each Admin person has a set of IAM User credentials, they could simply add themselves to a security group like this: [How to use the same static IP address with different ISPs?](https://stackoverflow.com/q/60399574/174777) – John Rotenstein Feb 26 '20 at 06:05
  • we do not giving iam credential as they are not technical or aws friendly – Jay seen Feb 26 '20 at 06:37
  • Agree with @JohnRotenstein easiest way is just have a login page to access your admin panel using username and password, else you'll need some VPN solution like OpenVPN to get the admins into the Bastion host and allow the Bastion's SG to your admin panel's SG – Dev1ce Feb 26 '20 at 09:02
  • Yes vpn is good solution, can you suggest free vpn as paid charges per user. Also vpn occupied an extra instance, so idea came up in mind why not do it by serverless aka lambda – Jay seen Feb 26 '20 at 09:14

0 Answers0