When Ryan sets up the NACLs there is always port 80 for http and port 443 for https. I am working through understanding the decision flow for when you change http from deny to allow. Where does https figure into this decision flow of deny vs. allow? Aren’t restful API calls done through HTTPS?
3 Answers
Hi there,
I think you may have misunderstood the lesson. Ryan is showing how with NACLs you can explicitly deny traffic by IP/CIDR range & port. He didn’t change http from deny to allow, there were 2 rules, one with deny and a specific IP and a second one with allow and all IPs.
At first he had the deny rule after the allow rule. The first rule (allow) is applied and then any rules that follow which match the port and any sub-range of IPs from the earlier rule are ignored.
Next, he shows the inverse, when the deny rule is first, it will take affect first. When the allow rule is applied, it will apply it to all IPs except for the ones listed in prior deny rules.
As far as https vs http, there was only the 1 rule with https as the protocol, so that rule is the only rule that is evaluated for https. For http, there were 2 rules, one with a deny and one with an allow. They were applied in the order they appeared.
Right, but my confusion is less about the order of evaluation of rules, and more the fundamental question of: isn’t HTTPS forced for most APIs and sites now? I believe the keynote at a recent security conference was given by Goolgle’s engineering director on how Google began labeling all sites as not secure if they didn’t use HTTPS. So I guess what i’m trying to understand is in the case of AWS NACLs, when you access EC2 via the CLI, are these https calls, or are the not secure http calls that we are accessing with a secure key?
There still seems to be some confusion in your question. You don’t use the AWS CLI to access an EC2 instance. From https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html it says "The AWS CLI provides direct access to AWS services’ public APIs." You would need to use a tool like ssh or an rdp client to connect to specific servers. I think one key question you have is about whether the AWS CLI uses secure communications. From https://docs.aws.amazon.com/cli/latest/reference/ it says "By default, the AWS CLI uses SSL when communicating with AWS services."
From the lesson Ryan was showing how to make and block HTTP connections to a web server. He could have configured an SSL certificate and enabled https, but that wasn’t the point of the lesson. He could have also shown blocking different protocols, but all the steps are the same so he chose to use the common HTTP protocol we are all used to. Making https calls to a web server via a browser is somewhat different than using the AWS CLI to communicate with AWS services via API calls. They both use SSL/TLS tunnels for communications, but one sends/receives HTTP calls built of HTTP headers and data while the other posts API requests and receives responses.