- Newest
- Most votes
- Most comments
Hello.
For the task definition, was I correct to add a policy to get and put items in the dynamodb database? Is it needed at the task definition level if the API calls inside it need to perform CRUD operations to the dynamodb database?
First, ECS has two types of IAM role configurations.
There are task execution roles and task roles, and among these, task roles are used to access DynamoDB etc. from container applications.
I think your settings are correct because the task roll is included in the task definition settings.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
When creating the ALB, I made it internet facing and placed it in 2 of my public subnets. For the security group I allowed HTTP and HTTPS from anywhere. When I finish creating my frontend and deploy it on AWS Amplify, would I change the "anywhere" selection to point to Amplify?
No, since the front-end code itself is executed in the user's browser, I think ALB will not be able to connect unless it is accessible via HTTPS from anywhere.
https://medium.com/@pabloregen/about-frontend-and-backend-and-where-my-javascript-runs-60e321d07790
If my lambda function is making API calls to the notification microserice in my ECS task, the ALB security group should also have an HTTP entry coming from the IP addresses or security group of my lambda function right?
If the ALB is public access, restricting the security group by Lambda's IP address will prevent other users from accessing it via HTTPS.
If ALB is configured as a private load balancer and Lambda can be connected to the VPC, it is possible to configure settings such as allowing only Lambda's security group.
https://docs.aws.amazon.com/lambda/latest/dg/foundation-networking.html
For my ALB listeners, I selected port 80 and for the target group I want to select my ECS tasks, but those are placed in my private subnets and can be scaled up and down. How will I know what IPv4 my tasks will have in the subnet CIDR block?
If you are managing the number of tasks using ECS AutoScaling, the target group should be linked to ECS, so there is no need to manage the IP addresses of the tasks.
https://repost.aws/knowledge-center/create-alb-auto-register
When creating my ECS Service, in the networking tab I selected my private subnets and now I need to make my security group. Since the ECS Service will communicate with ALB, I added a port 80 inbound traffic with the source set as the security group of my ALB. Is this correct?
Yes, that's correct.
The ECS task is set to allow connections only from ALB, making it secure.
Hi Abed,
Please look at solution it will be helpful for your resolved the doubts.
Task Definition Policy:
You've correctly added a policy to the task definition that allows it to put and get items from DynamoDB. This is necessary for the tasks to interact with the database.
ALB Security Group:
Initial Testing:
For initial testing, allowing HTTP and HTTPS from "anywhere (0.0.0.0/0)" might be sufficient.
Production Security:
Find Amplify Security Group:
Once you deploy your frontend on AWS Amplify, locate the security group assigned to your Amplify application.
Restrict Access:
In your ALB security group's inbound rules, add an HTTP/HTTPS rule that allows traffic only from the Amplify security group's CIDR block. This ensures only authorized Amplify users can access your application.
Lambda Function Communication:
Security Group for Lambda:
Create a dedicated security group for your Lambda function.
ECS Service Security Group Inbound Rule:
Source:
In your ECS service security group's inbound rules, add an HTTP rule that allows traffic from the Lambda function's security group on port 3333 (or the port used by your notification microservice).
Lambda Policy:
Update the Lambda function's execution role to include a policy that allows outbound traffic to the service security group. This restricts communication only to authorized services within your VPC.
ALB Listeners and Target Groups:
You're on the right track with selecting port 80 for your ALB listeners and targeting your ECS tasks. You don't need to know the individual IPv4 addresses of your tasks.
ECS Service Security Group:
Your approach of creating a security group for your ECS service and allowing inbound traffic on port 80 from the ALB's security group is correct.
Additional Tips:
Least Privilege: Apply the "least privilege" principle by restricting access only to those who need it. Avoid using "0.0.0.0/0" in production. Separate Security Groups: Use separate security groups for different components (ALB, Lambda, ECS service) for better organization and control. Security Best Practices: Refer to AWS security best practices for ECS and ALB configurations:
Thank you so much for your detailed reply @Parthasaradi, I really appreciate your help on this!
Thank you so much @Riku_Kobayashi for your help and for providing the links along with your answer! I will make sure to read the links thoroughly and apply your suggestions to my current configuration!