Solved Securing connections inside AWS VPC

[big_girl]

I have a question about securing connections from FreeBSD dataservers to an Ubuntu webserver inside the AWS VPC.

One FreeBSD instance shares folders via NFSv4 and the other FreeBSD instance hosts a PostgreSQL database. These folders and database connection are shared with the Ubuntu webserver. All machines are in the VPC with the FreeBSD instances in a private subnet and the Ubuntu webserver in the public subnet, as in this scenario in the AWS docs.

I was just wondering if, given that the instances are all inside the VPC, there was any need to configure krb5p to secure the NFS share? ...and if there was any reason to use hostssl with md5 for the database connection? All connections within the VPC should already be encrypted, so it seems that adding Kerberos and SSL would be unnecessary(?)

 

[bhughes]

I was just wondering if, given that the instances are all inside the VPC, there was any need to configure krb5p to secure the NFS share? ...and if there was any reason to use hostssl with md5 for the database connection?

This is a hard question to answer. Personally, if there are no other instances in the VPC, I would not. However, if there are other instances, I would. Otherwise information could be leaked/watched when a breach occurs elsewhere in the VPC. Another option I would consider is to setup a security group to allow access to the NFS and Postgres machines only from the webserver instance (if the webserver is the only instance that needs access to them, that is).

I can't answer the question for you, though. The "need" is something you have to decide on.

All connections within the VPC should already be encrypted, ...

What makes you say that? Connections in a VPC don't automatically or magically become encrypted. They are firewalled, and your instances in private subnets aren't directly accessible/addressable from the internet.

Hope this helps (and yay, another FreeBSD in EC2/VPC user!)