This is an example of a real world scenario where we demonstrate how
ip-lockdown can be invoked as part of User Data to automatically lock down the EC2 metadata IP upon
startup of an EC2 instance.
The main motivation for locking down EC2 metadata is as follows:
EC2 metadata gives you the credentials you need to assume any IAM role associated with the EC2 instance, and thereby, get all the permissions available in that IAM role.
Locking down the metadata to, for example, only the root user, makes sure that if a hacker breaks into your server with a privileged user, they cannot get the full power of the IAM role.
For example, we often give EC2 Instances access to a KMS key via an IAM role so that instance can decrypt secrets before booting. Using ip-lockdown ensures that only the root user can access that KMS key, and therefore, secrets, which is a big improvement to your security posture.
Try to curl metadata by doing curl http://169.254.169.254/latest/meta-data/ (You should receive an error: curl: (7) Failed to connect to 169.254.169.254 port 80: Connection refused)
Try to curl the metadata again: sudo curl http://169.254.169.254/latest/meta-data/ (this should work)
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"30bfaa039bf698a640461a3993ccc21b452ccc5d"}]},{"name":".editorconfig","path":".editorconfig","sha":"a5eec1063e66c4cb953cba222dd50b4d314ef3e2"},{"name":".gitignore","path":".gitignore","sha":"981300184e4c7fd06f5076e1b63240ff17127c4a"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"c82ec90fb502dc05e64f92ece2c49ff0a9c3cf55"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.adoc","path":"README.adoc","sha":"2fa6943dc66863a9f854a55374ed6b89f1dab998"},{"name":"_ci","children":[{"name":"output-debug-values.sh","path":"_ci/output-debug-values.sh","sha":"0ced78063218d2027a2af91368ccb2da3f9762d5"}]},{"name":"_docs","children":[{"name":"auto-update.png","path":"_docs/auto-update.png","sha":"77bfd1c65de0245ac8b3c67d5b0b64fc440824bf"},{"name":"aws-cloudtrail-architecture.png","path":"_docs/aws-cloudtrail-architecture.png","sha":"a2dd9a08b8ed77744fd5febab3be7bdf633dee79"},{"name":"aws-cloudtrail.png","path":"_docs/aws-cloudtrail.png","sha":"acc7dcaf4b46ce3cef1bcc20be0329e12c320e7f"},{"name":"aws-config-architecture.png","path":"_docs/aws-config-architecture.png","sha":"721458048d5e539468c438498863a91fa96e0a85"},{"name":"aws-config-rules-architecture.png","path":"_docs/aws-config-rules-architecture.png","sha":"29fe3f20358b176e385d1bcdc0357bff2c1d5b4a"},{"name":"aws-config-rules.png","path":"_docs/aws-config-rules.png","sha":"ac3f7b35bcac949887e62aee260d9cb70edd3ae8"},{"name":"aws-config.png","path":"_docs/aws-config.png","sha":"02f4b326aef57372def4f3fafa4f0e4cec07e395"},{"name":"aws-organizations-architecture.png","path":"_docs/aws-organizations-architecture.png","sha":"bd57412fe85d3fe8d5e358db5e3b7bfef3e786a9"},{"name":"aws-organizations-icon.png","path":"_docs/aws-organizations-icon.png","sha":"b2b3fa04f51a23e5bae1b3389ffedf5e17b3cef2"},{"name":"ssh-grunt-architecture.png","path":"_docs/ssh-grunt-architecture.png","sha":"9ced8c68bcc7957e50aa016cad6c5b043a05b470"},{"name":"terminal-icon.png","path":"_docs/terminal-icon.png","sha":"df09d52d5b1176d7e231bab6c7712c3728e45c1b"}]},{"name":"examples","children":[{"name":"auto-update","children":[{"name":"README.md","path":"examples/auto-update/README.md","sha":"d7c630c4585bad7869d55bc6c62fca248eeb521a"},{"name":"auto-update-example.json","path":"examples/auto-update/auto-update-example.json","sha":"cafac0a781f8c675338226eee4b2413f5a4e88c1"}]},{"name":"aws-config","children":[{"name":"README.md","path":"examples/aws-config/README.md","sha":"becfeb3fe2afee81cad4476fd1300a5f26566e7e"},{"name":"main.tf","path":"examples/aws-config/main.tf","sha":"d07263ccd6a96cfbae8dd25fc40c48a364b06f04"},{"name":"outputs.tf","path":"examples/aws-config/outputs.tf","sha":"ddd32698f39772d663a2d9b8a6276260f5431068"},{"name":"vars.tf","path":"examples/aws-config/vars.tf","sha":"52da0c2fdcbaac128d94e3d7ea9ed58cccc396c7"}]},{"name":"aws-organizations-config-rules","children":[{"name":"README.md","path":"examples/aws-organizations-config-rules/README.md","sha":"ce4f53fc37936aec55b2a7e8f358378032dac0d7"},{"name":"main.tf","path":"examples/aws-organizations-config-rules/main.tf","sha":"1dae398d8ed745e3b103f3803b887e61daf7a600"},{"name":"outputs.tf","path":"examples/aws-organizations-config-rules/outputs.tf","sha":"4319400eb4190f58458f2dd9398225869ff08da3"},{"name":"variables.tf","path":"examples/aws-organizations-config-rules/variables.tf","sha":"c97f8c6bdaf4ab3f9e5f26332fc7ec983e881a53"}]},{"name":"aws-organizations","children":[{"name":"README.md","path":"examples/aws-organizations/README.md","sha":"1da3c2fc061fee6ee99564b8b2323ccf69f2c690"},{"name":"main.tf","path":"examples/aws-organizations/main.tf","sha":"7339da612ebccaa785820b0f1e6fb42d5f72e20a"},{"name":"outputs.tf","path":"examples/aws-organizations/outputs.tf","sha":"88ba8f4012111036775958d7dfad4eec6bf84be6"},{"name":"variables.tf","path":"examples/aws-organizations/variables.tf","sha":"59afc28c87bc3c49d11c6faf7e112643f0a95481"}]},{"name":"cloudtrail","children":[{"name":"README.md","path":"examples/cloudtrail/README.md","sha":"a99ca684008a985ba9246e21d480d5aadd8a63bf"},{"name":"main.tf","path":"examples/cloudtrail/main.tf","sha":"a6640e03cad20e68d805106afdd94f1d2e6883e3"},{"name":"outputs.tf","path":"examples/cloudtrail/outputs.tf","sha":"874c4bb56d8c5841ae5d23a14e8572aab2d4adea"},{"name":"vars.tf","path":"examples/cloudtrail/vars.tf","sha":"d760a1693fc326552b1a00a24eb9deb4fb1a0af3"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"examples/cross-account-iam-roles/README.md","sha":"e29b220abacd7b0ac30a9b30ae15014936e5fc9c"},{"name":"main.tf","path":"examples/cross-account-iam-roles/main.tf","sha":"6c3469ebb3be0666378962f57fb4c8055a1cb565"},{"name":"outputs.tf","path":"examples/cross-account-iam-roles/outputs.tf","sha":"459bd44da733bb20e65e17b4e13505c03bb109b7"},{"name":"vars.tf","path":"examples/cross-account-iam-roles/vars.tf","sha":"6e707ac515c0d83d32f8dccbfcfe22c66968351a"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"examples/custom-iam-entity/README.md","sha":"262e2508f648ec95f6bfd32626fbb2d887cfa988"},{"name":"main.tf","path":"examples/custom-iam-entity/main.tf","sha":"c1b2291bb49e98b1b4ac642920751f54bd59c2a3"},{"name":"outputs.tf","path":"examples/custom-iam-entity/outputs.tf","sha":"835eb64f431386925438cb2f63e48e413faee90c"},{"name":"vars.tf","path":"examples/custom-iam-entity/vars.tf","sha":"4af8f352ddc35352243f8e1ac0dd3fb50f230e11"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"examples/fail2ban/README.md","sha":"7f6b797884ac148c0e34fd6da0eb8224e2255d8a"},{"name":"fail2ban-example.json","path":"examples/fail2ban/fail2ban-example.json","sha":"dca42add6036b1e18f03aaa3f41c500b8767f31d"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"examples/iam-groups/README.md","sha":"019d8b433629eb895603e9b4d507b0bf479c3da5"},{"name":"main.tf","path":"examples/iam-groups/main.tf","sha":"3ef8b57b70f9f7f69a619749ce74430888bacebe"},{"name":"outputs.tf","path":"examples/iam-groups/outputs.tf","sha":"2901c51756a4b5d3ce1b040ff006849997650bb0"},{"name":"vars.tf","path":"examples/iam-groups/vars.tf","sha":"4cb4825d0b09ddb2bf1509fbe2e7506a974bae6a"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"examples/iam-user-password-policy/README.md","sha":"0af47723266b57ee39d55d74127ce0c8d902c466"},{"name":"main.tf","path":"examples/iam-user-password-policy/main.tf","sha":"ae22f0ac3173d5c0f191ec537725ea6230962fc5"},{"name":"vars.tf","path":"examples/iam-user-password-policy/vars.tf","sha":"fcdc47d795f3e20427b615e26ea2d60db7109a78"}]},{"name":"iam-users","children":[{"name":"README.md","path":"examples/iam-users/README.md","sha":"f8b65e9756e9f8c8703a854c1363be700b5fe8d9"},{"name":"main.tf","path":"examples/iam-users/main.tf","sha":"892c01c4392d7befe26bb0c7ff80ac0cbefa6563"},{"name":"outputs.tf","path":"examples/iam-users/outputs.tf","sha":"5c7e14248dcd792771f5956d6acc4cd2562887b5"},{"name":"variables.tf","path":"examples/iam-users/variables.tf","sha":"5c27b34c5b14c9222e196441c29576eed1f9fb31"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"examples/ip-lockdown/README.md","sha":"3962ba23a76d8f02e5c0ffc8cb71196991628e38"},{"name":"aws-example","children":[{"name":"README.md","path":"examples/ip-lockdown/aws-example/README.md","sha":"282005cb1cbc63ff7a642bac388a48d6cc3a2087","toggled":true},{"name":"main.tf","path":"examples/ip-lockdown/aws-example/main.tf","sha":"948172240196c610e26957ca60640191fdfab0ad"},{"name":"outputs.tf","path":"examples/ip-lockdown/aws-example/outputs.tf","sha":"a175a78c9a10f9f2fd9d7c84f9b304aebc1bdb41"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/ip-lockdown/aws-example/user-data/user-data.sh","sha":"c6d308027737a434f4c96bc3eba5bd301897af62"}]},{"name":"vars.tf","path":"examples/ip-lockdown/aws-example/vars.tf","sha":"0db59e9a6307fa940ddf5258130be1c9504c86a5"}],"toggled":true},{"name":"ip-lockdown-sample.json","path":"examples/ip-lockdown/ip-lockdown-sample.json","sha":"2ccf2fe1a5b90bf4ab760ddd4f7714a8e1d43df6"},{"name":"local-test","children":[{"name":"README.md","path":"examples/ip-lockdown/local-test/README.md","sha":"3f0e1a6483ce3155bb04dbb9a4fd76ed41486d35"},{"name":"docker-compose.yml","path":"examples/ip-lockdown/local-test/docker-compose.yml","sha":"1495f82dca93d86fda60fb9dec7ded13852217fc"}]}],"toggled":true},{"name":"kms-master-key","children":[{"name":"README.md","path":"examples/kms-master-key/README.md","sha":"888367af686e25e12f987a100d9d593bc6ca71cc"},{"name":"main.tf","path":"examples/kms-master-key/main.tf","sha":"4e9b50a413bf0844e99281e8611c43479def780f"},{"name":"outputs.tf","path":"examples/kms-master-key/outputs.tf","sha":"bfeb4638cc0ad7540bf7e5258fdc4b73df4b7dc0"},{"name":"vars.tf","path":"examples/kms-master-key/vars.tf","sha":"f8b3c8eb30cdf87d4d7a8cda04dfc001f9872242"}]},{"name":"ntp","children":[{"name":"README.md","path":"examples/ntp/README.md","sha":"b676e802c1d196f6af204d14d143b80864bccd30"},{"name":"ntp-example.json","path":"examples/ntp/ntp-example.json","sha":"ab322bfd9042a9eaf3a9b2ec3418abd7188bc99a"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"examples/os-hardening/README.md","sha":"2518516d2aea0bc3f8d142f0ee8db181ab491d6e"},{"name":"packer-build.sh","path":"examples/os-hardening/packer-build.sh","sha":"7a35196064d70b06cd349d80b64a82b0affe18f0"},{"name":"packer","children":[{"name":"amazon-linux.json","path":"examples/os-hardening/packer/amazon-linux.json","sha":"e75442792ba2588a02bcc93a90eceade50e5a846"},{"name":"files","children":[{"name":"etc","children":[{"name":"fstab","path":"examples/os-hardening/packer/files/etc/fstab","sha":"cbf68cec68a92bc54f514dd0d6906f19cea857e6"}]}]}]},{"name":"terraform","children":[{"name":"main.tf","path":"examples/os-hardening/terraform/main.tf","sha":"0279c513bb48e2a5c966b19298066c04bf6b02f5"},{"name":"outputs.tf","path":"examples/os-hardening/terraform/outputs.tf","sha":"33083aed25a4ed6e323bf84381b896614814c9d1"},{"name":"vars.tf","path":"examples/os-hardening/terraform/vars.tf","sha":"60e4d2707d2f9edba702c9e8edd48ecfc30ae514"}]}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"examples/saml-iam-roles/README.md","sha":"e316aefb1fbf753baa8625c8063e239c799c52b3"},{"name":"main.tf","path":"examples/saml-iam-roles/main.tf","sha":"d0ed7822a55913c6c93391ee345b32a8912ee3ae"},{"name":"outputs.tf","path":"examples/saml-iam-roles/outputs.tf","sha":"1bd4fec9529cddfd2d3f61bba60f9dfb8b286c70"},{"name":"saml-metadata.xml","path":"examples/saml-iam-roles/saml-metadata.xml","sha":"88596cfde52242a43559c79216a1c60b2ea12903"},{"name":"vars.tf","path":"examples/saml-iam-roles/vars.tf","sha":"8673df83c8d53eadd579d9ac9ae536711561c746"}]},{"name":"ssh-grunt","children":[{"name":"houston","children":[{"name":"README.md","path":"examples/ssh-grunt/houston/README.md","sha":"ac5cb5fd6c2b55bf198ec4a9ec744d7070bf1875"},{"name":"main.tf","path":"examples/ssh-grunt/houston/main.tf","sha":"36cb5881d191d10eb656af4f1865e1ff6ab2c6e3"},{"name":"outputs.tf","path":"examples/ssh-grunt/houston/outputs.tf","sha":"978b316044d417393b70100a427de1068c4d417f"},{"name":"vars.tf","path":"examples/ssh-grunt/houston/vars.tf","sha":"34c542e9e1afc5dca29476a6ca40d27050aa02d2"}]},{"name":"iam","children":[{"name":"README.md","path":"examples/ssh-grunt/iam/README.md","sha":"d79ebb115ab2452ff3e3dfe57c893e319ffd05ab"},{"name":"main.tf","path":"examples/ssh-grunt/iam/main.tf","sha":"9287afd098898404fa5937818d65e4beaeeef691"},{"name":"outputs.tf","path":"examples/ssh-grunt/iam/outputs.tf","sha":"978b316044d417393b70100a427de1068c4d417f"},{"name":"vars.tf","path":"examples/ssh-grunt/iam/vars.tf","sha":"093c5c41394e22b8308abc432b610a87b75e7680"}]},{"name":"mock-houston","children":[{"name":"README.md","path":"examples/ssh-grunt/mock-houston/README.md","sha":"94c0ef92814db64b5f3d578a4ba7011fb058fedf"},{"name":"main.tf","path":"examples/ssh-grunt/mock-houston/main.tf","sha":"f2bf9160b336a66634bf0f62fb720e00c851412d"},{"name":"outputs.tf","path":"examples/ssh-grunt/mock-houston/outputs.tf","sha":"a25069b6b919c0fa31fc32c3bcf1d326f7c3d46c"},{"name":"vars.tf","path":"examples/ssh-grunt/mock-houston/vars.tf","sha":"984df0c1fa7e7c78d8755652c321dcd06543d030"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/ssh-grunt/packer/README.md","sha":"40dc203c7287544434c7f668ea58782afd2f2386"},{"name":"build-binary.sh","path":"examples/ssh-grunt/packer/build-binary.sh","sha":"6e96bfaa2b82f54ed3f1c5ffb8bb3ee0f99055e4"},{"name":"ssh-grunt-houston.json","path":"examples/ssh-grunt/packer/ssh-grunt-houston.json","sha":"cd3c4a1c2053c238720b0b4111efc3003db7e6cb"},{"name":"ssh-grunt-iam.json","path":"examples/ssh-grunt/packer/ssh-grunt-iam.json","sha":"ab7237cf73deccb4f94837046be2efa0d6df3ebf"}]}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"examples/ssm-healthchecks-iam-permissions/README.md","sha":"f1fe555a3aff887a966def0a1d3ccaff3dd826e7"},{"name":"main.tf","path":"examples/ssm-healthchecks-iam-permissions/main.tf","sha":"2ff78d1f7cc4a484319a74a62880b26ad679f8b5"},{"name":"outputs.tf","path":"examples/ssm-healthchecks-iam-permissions/outputs.tf","sha":"52688c3a4f1f8349500505fb8949fa0d21c385a3"},{"name":"vars.tf","path":"examples/ssm-healthchecks-iam-permissions/vars.tf","sha":"3fb4df876ccbcd8a3ff3af79efaf3479a74261bf"}]}],"toggled":true},{"name":"modules","children":[{"name":"_deprecated","children":[{"name":"custom-iam-group","children":[{"name":"README.md","path":"modules/_deprecated/custom-iam-group/README.md","sha":"e7a0ff783eb1052aa77fe50d7eaa6a06d2d82649"}]}]},{"name":"auto-update","children":[{"name":"README.adoc","path":"modules/auto-update/README.adoc","sha":"2dc0c5ae564c0893db7bd48550f47f50dc69ab74"},{"name":"core-concepts.md","path":"modules/auto-update/core-concepts.md","sha":"a292e900ff20e205679c5a8a2b382081f338a41f"},{"name":"install-scripts","children":[{"name":"configure-auto-update","path":"modules/auto-update/install-scripts/configure-auto-update","sha":"bf7cdd18bf7c284056071c5e8b905adf2ac772d0"},{"name":"unattended_upgrades_config.txt","path":"modules/auto-update/install-scripts/unattended_upgrades_config.txt","sha":"abe88fd8a5037ce518bec69a6cac0699cb421d47"},{"name":"yum_cron_config.txt","path":"modules/auto-update/install-scripts/yum_cron_config.txt","sha":"e7ef4273f1b2af0c9c032fadaacd03130ba5ea78"}]},{"name":"install.sh","path":"modules/auto-update/install.sh","sha":"7c19fd0d04b11c358af64149b3169d6b2c5e3b58"}]},{"name":"aws-auth","children":[{"name":"AWS-AUTH-LASTPASS.md","path":"modules/aws-auth/AWS-AUTH-LASTPASS.md","sha":"f989822c9600fdb7dec2b67a929f8e4b49947aa8"},{"name":"README.md","path":"modules/aws-auth/README.md","sha":"334b60630b57378a8327981cc6581244a55c2e24"},{"name":"bin","children":[{"name":"aws-auth","path":"modules/aws-auth/bin/aws-auth","sha":"973c0ad62b2ab51cb18abf57d332869171480eff"}]},{"name":"install.sh","path":"modules/aws-auth/install.sh","sha":"ab9611d92d6822ceed981bdff3766724366037f0"}]},{"name":"aws-config","children":[{"name":"README.adoc","path":"modules/aws-config/README.adoc","sha":"13236bd030770bde664fbfb0f0cdd7e67416297a"},{"name":"core-concepts.md","path":"modules/aws-config/core-concepts.md","sha":"7f917cedb2e054a6e7ac4455a92240ff54f15987"},{"name":"main.tf","path":"modules/aws-config/main.tf","sha":"ef90c58cb569c459ef803156f3c991bd197fb503"},{"name":"outputs.tf","path":"modules/aws-config/outputs.tf","sha":"8c8c3d4c9fd8d408d34cda20b4302abc6401005b"},{"name":"vars.tf","path":"modules/aws-config/vars.tf","sha":"d65687709db3c58685573be6f9bfa4ae6cd05c5b"}]},{"name":"aws-organizations-config-rules","children":[{"name":"README.adoc","path":"modules/aws-organizations-config-rules/README.adoc","sha":"3c80d37fe39d4be2d7155442b260d6d1de1bb3c2"},{"name":"core-concepts.md","path":"modules/aws-organizations-config-rules/core-concepts.md","sha":"28f0d3a3325c97e0417c01671bbfc8a1b577498a"},{"name":"main.tf","path":"modules/aws-organizations-config-rules/main.tf","sha":"c67d58ca43acafce5f464b969980074631573490"},{"name":"outputs.tf","path":"modules/aws-organizations-config-rules/outputs.tf","sha":"9b78cd00ad242a02579147b390c6ad946620e1f0"},{"name":"variables.tf","path":"modules/aws-organizations-config-rules/variables.tf","sha":"1d8616a01e1db2c0672827920afef50d921fde6d"}]},{"name":"aws-organizations","children":[{"name":"README.adoc","path":"modules/aws-organizations/README.adoc","sha":"1352eb4694d958aa047d60f4ec7e391d887602cf"},{"name":"core-concepts.md","path":"modules/aws-organizations/core-concepts.md","sha":"ff397622de5a23581ae9792f4161aa0f1a1e1085"},{"name":"main.tf","path":"modules/aws-organizations/main.tf","sha":"0813956755b64165bddc6a9e883ee36e686079dd"},{"name":"outputs.tf","path":"modules/aws-organizations/outputs.tf","sha":"5d71fce583011b7351615821e6a888eb8f73906a"},{"name":"variables.tf","path":"modules/aws-organizations/variables.tf","sha":"4eac97565d5ab76a5e0c03cde4a9337001125156"}]},{"name":"cloudtrail","children":[{"name":"README.adoc","path":"modules/cloudtrail/README.adoc","sha":"29cd0635a4ce35bcdf710da9e66884341e105340"},{"name":"core-concepts.md","path":"modules/cloudtrail/core-concepts.md","sha":"beed0fe088229f9c33e58ad62f213964f4571349"},{"name":"main.tf","path":"modules/cloudtrail/main.tf","sha":"7e98e2b4fa6e8142b28ae3ad3e7ddf1d91c6d54c"},{"name":"outputs.tf","path":"modules/cloudtrail/outputs.tf","sha":"20e598a564e2362f8e199d710699dedded900dfb"},{"name":"vars.tf","path":"modules/cloudtrail/vars.tf","sha":"7688720ba84934a8919a20fd07324dbf9e404ad6"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"modules/cross-account-iam-roles/README.md","sha":"9185ef34dd25c4da8d907a180495c377fdbcff49"},{"name":"main.tf","path":"modules/cross-account-iam-roles/main.tf","sha":"d4b66fff9f7acee9999f6674a86441e09ca9b393"},{"name":"outputs.tf","path":"modules/cross-account-iam-roles/outputs.tf","sha":"73b26ff9804cb98404c81fa07e084042898482cf"},{"name":"vars.tf","path":"modules/cross-account-iam-roles/vars.tf","sha":"bca2aa64fec3f57a5e5faca26611ac3ca57b39a1"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"modules/custom-iam-entity/README.md","sha":"98ab8129418c43978d46d58896b6e64172995aba"},{"name":"main.tf","path":"modules/custom-iam-entity/main.tf","sha":"3a6866b29cf106c185bf7452595315666ec41398"},{"name":"outputs.tf","path":"modules/custom-iam-entity/outputs.tf","sha":"23cc0eb151da4ab2f146c89d9ad53dfc0e5c8c82"},{"name":"vars.tf","path":"modules/custom-iam-entity/vars.tf","sha":"1924cbbfa3dfc1833ca51d616b875db189b65927"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"modules/fail2ban/README.md","sha":"2301349c1b8775809b7362189a72655ce58b26fb"},{"name":"install-scripts","children":[{"name":"cloudwatch-metric.conf","path":"modules/fail2ban/install-scripts/cloudwatch-metric.conf","sha":"f78f5f55f585a6efe60a51a2c0f41e4a63f99749"},{"name":"configure-fail2ban","path":"modules/fail2ban/install-scripts/configure-fail2ban","sha":"19e281057d9e5ac91e7497441febfe633d231cd1"},{"name":"fail2ban.local","path":"modules/fail2ban/install-scripts/fail2ban.local","sha":"8292c4a18c825bfbf0a8d52cfb2746aa43f76ca4"},{"name":"filters.sshd.amazon.conf","path":"modules/fail2ban/install-scripts/filters.sshd.amazon.conf","sha":"093bb1baf88a1e283a43b7dd7d04c64992abecc6"},{"name":"jail.amazon.local","path":"modules/fail2ban/install-scripts/jail.amazon.local","sha":"a0aef73873e461c46ff63a4a3e5166ad3453c5e3"},{"name":"jail.amazon2.local","path":"modules/fail2ban/install-scripts/jail.amazon2.local","sha":"73993857d9a9424bb991666a58adc080024fe720"},{"name":"jail.ubuntu.local","path":"modules/fail2ban/install-scripts/jail.ubuntu.local","sha":"3ba6255a331696f384c0fcc385cd599687f60199"}]},{"name":"install.sh","path":"modules/fail2ban/install.sh","sha":"8f7b536f08506dabc2f6beb6cd5a50f7282168aa"},{"name":"user-data-scripts","children":[{"name":"configure-fail2ban-cloudwatch.sh","path":"modules/fail2ban/user-data-scripts/configure-fail2ban-cloudwatch.sh","sha":"64b7c27b8aa50302f4f7e35ebd8bbf93064bb777"}]}]},{"name":"iam-groups","children":[{"name":"README.md","path":"modules/iam-groups/README.md","sha":"072baead8ab54d99d6c9232802c42522a9785c96"},{"name":"_docs","children":[{"name":"iam-user-access-to-billing.png","path":"modules/iam-groups/_docs/iam-user-access-to-billing.png","sha":"063f6cf8dc766b4d44942de89660e8ab9e1f3d63"},{"name":"my-account.png","path":"modules/iam-groups/_docs/my-account.png","sha":"387320200ed756ce4191afef87f0ab76e2c3d89a"}]},{"name":"main.tf","path":"modules/iam-groups/main.tf","sha":"09854772868b6351d46a29a3fa717804b1460f83"},{"name":"outputs.tf","path":"modules/iam-groups/outputs.tf","sha":"59cbe8c8417ce370880236a1596998f26bdf7f07"},{"name":"vars.tf","path":"modules/iam-groups/vars.tf","sha":"bb2c89d70441cf6e19b1df8d929cbbae1726bc6d"}]},{"name":"iam-policies","children":[{"name":"README.md","path":"modules/iam-policies/README.md","sha":"a6b450cb3dc9b7f0809223c37dcc79451ac573d9"},{"name":"main.tf","path":"modules/iam-policies/main.tf","sha":"8648ecc0eae6ced94c1b10197186f760760dbf8b"},{"name":"outputs.tf","path":"modules/iam-policies/outputs.tf","sha":"6e9206ee3029eb480b6ede1bf55e4ef15b0a0673"},{"name":"vars.tf","path":"modules/iam-policies/vars.tf","sha":"6204c2d4b1b7ec860b4cc5d4d206990a91dfdc9c"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"modules/iam-user-password-policy/README.md","sha":"5bea6ba56fc796be5b860549156a3a251735fc2a"},{"name":"main.tf","path":"modules/iam-user-password-policy/main.tf","sha":"9670fa0991057e03a72b72987c02a71e14611724"},{"name":"vars.tf","path":"modules/iam-user-password-policy/vars.tf","sha":"7c08eef88a7b13226cc4e18aa8338db64fdf83f0"}]},{"name":"iam-users","children":[{"name":"README.md","path":"modules/iam-users/README.md","sha":"9da56f1341cc4b4dc67038391ea8f52198bb3b21"},{"name":"main.tf","path":"modules/iam-users/main.tf","sha":"4d9e3efab76e509a9715fc276833254b9500169a"},{"name":"outputs.tf","path":"modules/iam-users/outputs.tf","sha":"67020f9214a30c4fddd150c67209a231d4aec00e"},{"name":"variables.tf","path":"modules/iam-users/variables.tf","sha":"3e49197e1f1b4251f5fff088974cb6e40c3677b0"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"modules/ip-lockdown/README.md","sha":"af806e396600aed64922eac8a3c7ab29a90f858d"},{"name":"install.sh","path":"modules/ip-lockdown/install.sh","sha":"ce61af763bee9ad29754220ae24521f22c3a956f"},{"name":"ip-lockdown","path":"modules/ip-lockdown/ip-lockdown","sha":"93a0e1f5876e7de5778c595e8801d64986cb118b"}]},{"name":"kms-master-key","children":[{"name":"README.md","path":"modules/kms-master-key/README.md","sha":"2b5bfbea3ccd458581062da3896569c15ff7e580"},{"name":"main.tf","path":"modules/kms-master-key/main.tf","sha":"056fe2d8ed385f12ebfef79c0addc9e97e8b07c8"},{"name":"outputs.tf","path":"modules/kms-master-key/outputs.tf","sha":"b9bd1c5fa06b56d0bd78f7dab15c9f3233443bed"},{"name":"vars.tf","path":"modules/kms-master-key/vars.tf","sha":"47b6750ee300f7ab06bbad17212a859e66d4bf4a"}]},{"name":"ntp","children":[{"name":"README.md","path":"modules/ntp/README.md","sha":"c81ae3adf4d5af364729c5537414de1ada470af5"},{"name":"install.sh","path":"modules/ntp/install.sh","sha":"d31aa46b7f60f621a45166726559c8025efc1aa0"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"modules/os-hardening/README.md","sha":"3e864b0e9208eb6809adf41968c51e02fc233ee1"},{"name":"_docs","children":[{"name":"Helpful Email.md","path":"modules/os-hardening/_docs/Helpful Email.md","sha":"246a0b80b29f5ff3d2b2f4c5c170fc927e2d9dd7"}]},{"name":"ami-builder","children":[{"name":"files","children":[{"name":"user-data.sh.template","path":"modules/os-hardening/ami-builder/files/user-data.sh.template","sha":"4a3c87a19e1a4caa20b9b425b2a02101566d1166"}]},{"name":"main.tf","path":"modules/os-hardening/ami-builder/main.tf","sha":"3b23018276920ce33dab358eab79ef39e269fd98"},{"name":"outputs.tf","path":"modules/os-hardening/ami-builder/outputs.tf","sha":"8ce2ee598124ca50dd530a33aa60f5d1452a4a2b"},{"name":"vars.tf","path":"modules/os-hardening/ami-builder/vars.tf","sha":"c5927cfcebf6781b8b920d8fd7872f2992bb1501"}]},{"name":"partition-scripts","children":[{"name":"README.md","path":"modules/os-hardening/partition-scripts/README.md","sha":"a2986f1ab8f7470d2ba71d5270e5217d64cb10a3"},{"name":"bin","children":[{"name":"cleanup-volume","path":"modules/os-hardening/partition-scripts/bin/cleanup-volume","sha":"c7cbf3ecebd915235238557d27a1ce25e6fc10fa"},{"name":"partition-volume","path":"modules/os-hardening/partition-scripts/bin/partition-volume","sha":"f4f8566a1ef6aa4ff0c0268bd28721488aa6dfc4"}]},{"name":"install.sh","path":"modules/os-hardening/partition-scripts/install.sh","sha":"606776c068260836e8612a681ff4e3edc8abdb41"}]}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"modules/saml-iam-roles/README.md","sha":"fed1904b6d61d7d3fdee2931cfeb0cb79ec54523"},{"name":"main.tf","path":"modules/saml-iam-roles/main.tf","sha":"e4d97af0e2b812427faaf4e860b593eb9a113d30"},{"name":"outputs.tf","path":"modules/saml-iam-roles/outputs.tf","sha":"b2778906a16b2b513808aaea58c06cc3c9fc8c42"},{"name":"vars.tf","path":"modules/saml-iam-roles/vars.tf","sha":"981970525d6fd88bbaad9e72745f390795102333"}]},{"name":"ssh-grunt-selinux-policy","children":[{"name":"README.md","path":"modules/ssh-grunt-selinux-policy/README.md","sha":"8a934c81da696e32c365183b6a707594da99ba79"},{"name":"install.sh","path":"modules/ssh-grunt-selinux-policy/install.sh","sha":"3de871d61a9990e7f2c130f23afaf00daeb6bbef"},{"name":"ssh-grunt.pp","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.pp","sha":"7c7050f812cd0e3cb34e37b88c35fb09f369be7d"},{"name":"ssh-grunt.te","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.te","sha":"3317a71feaa633662a00b1dc05b1176cb85c9793"}]},{"name":"ssh-grunt","children":[{"name":".dockerignore","path":"modules/ssh-grunt/.dockerignore","sha":"a725465aee245635a2bd129af54858ed32c84cb8"},{"name":"Dockerfile","path":"modules/ssh-grunt/Dockerfile","sha":"6a6f21b4742f67f58be809a54ff48f2f6937ae14"},{"name":"Gopkg.lock","path":"modules/ssh-grunt/Gopkg.lock","sha":"f96af3ce514c0a60f18f7fb2b9620e1890e1e764"},{"name":"Gopkg.toml","path":"modules/ssh-grunt/Gopkg.toml","sha":"529ca4ea4ef756052c92315e07b2fbdb92720237"},{"name":"README.adoc","path":"modules/ssh-grunt/README.adoc","sha":"ad463ff8083ad7ccb90a6fca489e12012ac63896"},{"name":"_ci","children":[{"name":"build-and-test.sh","path":"modules/ssh-grunt/_ci/build-and-test.sh","sha":"903993de2d7bcde19d472fa5e510ee862d4b10c3"},{"name":"test.sh","path":"modules/ssh-grunt/_ci/test.sh","sha":"235603944316e81f1da1cc0248b80beecf99cb27"}]},{"name":"_docs","children":[{"name":"houston-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/houston-upload-ssh-key.png","sha":"e32519497262f9796a4ea46c53953923975cbd7d"},{"name":"iam-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/iam-upload-ssh-key.png","sha":"8bb1e793185eb0b4822023552899874394342f21"}]},{"name":"core-concepts.md","path":"modules/ssh-grunt/core-concepts.md","sha":"39e72fc7d9ecc6fb69a2b0beb582f5e23701de6a"},{"name":"docker-compose.yml","path":"modules/ssh-grunt/docker-compose.yml","sha":"0609cfaadf18bb9eb8ff13459cf9f0f10928765e"},{"name":"scripts","children":[{"name":"build-linux-binary.sh","path":"modules/ssh-grunt/scripts/build-linux-binary.sh","sha":"fc74dd9990e9f4526ae2e7cd13e338d4fd0f11c4"},{"name":"run.sh","path":"modules/ssh-grunt/scripts/run.sh","sha":"050027e034cd03e53625986eb0f331c043492cf6"}]},{"name":"src","children":[{"name":"cli.go","path":"modules/ssh-grunt/src/cli.go","sha":"f72f670dcf0ae2e0bcb8ed02e91c706a5e8c3be0"},{"name":"cli_test.go","path":"modules/ssh-grunt/src/cli_test.go","sha":"a65fc7945a800263b6ad153cc0c4354551814f0c"},{"name":"collections.go","path":"modules/ssh-grunt/src/collections.go","sha":"abb602cb1a1df835caf2cfd66dfc058aed75e3ee"},{"name":"cron.go","path":"modules/ssh-grunt/src/cron.go","sha":"ba1ada9e91762b66206025cfc281bea8f35498b0"},{"name":"cron_test.go","path":"modules/ssh-grunt/src/cron_test.go","sha":"0300a91bf9e0b536a2061a2f85c69542f86966a6"},{"name":"errors.go","path":"modules/ssh-grunt/src/errors.go","sha":"0e6361f5d7773d32f7fc9ff48a6d54bafd33508e"},{"name":"file.go","path":"modules/ssh-grunt/src/file.go","sha":"edf84f18ffa9c25038e02c5eb74213a413ee5ad3"},{"name":"groups.go","path":"modules/ssh-grunt/src/groups.go","sha":"fba9e95114aa7aa723913e855b424b76952d5c7b"},{"name":"groups_test.go","path":"modules/ssh-grunt/src/groups_test.go","sha":"c0b0bef6dc58bc640e689c0eab284fe3767359b5"},{"name":"houston.go","path":"modules/ssh-grunt/src/houston.go","sha":"2ba5973deb8a5431946ed0fc401bdc06028d91d7"},{"name":"houston_test.go","path":"modules/ssh-grunt/src/houston_test.go","sha":"088b51302fe48341ba83ac05107910cd5269e50f"},{"name":"iam.go","path":"modules/ssh-grunt/src/iam.go","sha":"dafbc8fbb732d2d6212cade786eb13d7215b9862"},{"name":"iam_test.go","path":"modules/ssh-grunt/src/iam_test.go","sha":"4f69cd90234d025c4368421ca7ce3f7818a52165"},{"name":"logger.go","path":"modules/ssh-grunt/src/logger.go","sha":"e62f5712a083ee1006911a23ee71e03ebd3622cf"},{"name":"main.go","path":"modules/ssh-grunt/src/main.go","sha":"89fe7e90c47dc8b2527e1c8addebca5e55ccfb35"},{"name":"shell.go","path":"modules/ssh-grunt/src/shell.go","sha":"070b861e82973d6cb7b09b91f99ad3055035bb1c"},{"name":"ssh.go","path":"modules/ssh-grunt/src/ssh.go","sha":"7eddcb4fa3fb3cf51ffa6221bc6552a7d57cfa98"},{"name":"ssh_test.go","path":"modules/ssh-grunt/src/ssh_test.go","sha":"f095f9d6d3618ac50c2ef8e65d6be4a2bff26283"},{"name":"string.go","path":"modules/ssh-grunt/src/string.go","sha":"fc61ca9625f9d654c2b3576ff932db1b90ae9dfe"},{"name":"string_test.go","path":"modules/ssh-grunt/src/string_test.go","sha":"a51e495942cd4364b1b2a511fa68fc4b1dde1237"},{"name":"sync.go","path":"modules/ssh-grunt/src/sync.go","sha":"b5d5bdbc0c1b52fa0008190eb3f97bc99109c3dd"},{"name":"sync_test.go","path":"modules/ssh-grunt/src/sync_test.go","sha":"f0a46bd471c56bde16cb822f8281e975c8aec848"},{"name":"url.go","path":"modules/ssh-grunt/src/url.go","sha":"12ff56939763979f94a8cb6dc35c9775ce0d3474"},{"name":"url_test.go","path":"modules/ssh-grunt/src/url_test.go","sha":"fe77a4563549dc6e0148452c1b03f19b6c0d9dcc"},{"name":"users.go","path":"modules/ssh-grunt/src/users.go","sha":"a40c2d3f26f69a93dac83da731a2407d1b89a083"},{"name":"users_test.go","path":"modules/ssh-grunt/src/users_test.go","sha":"3473766223be802090c695568e696149442ce112"}]}]},{"name":"ssh-iam","children":[{"name":"README.md","path":"modules/ssh-iam/README.md","sha":"4aa06d6a729e53384b6d2a43c06ee38807092f32"}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"modules/ssm-healthchecks-iam-permissions/README.md","sha":"005260025ae51ed9e13f1b6c6f9d737a02d5db68"},{"name":"main.tf","path":"modules/ssm-healthchecks-iam-permissions/main.tf","sha":"6b6b91fa59bc86de7521264ff34217cc88ae3842"},{"name":"vars.tf","path":"modules/ssm-healthchecks-iam-permissions/vars.tf","sha":"731aa1c2f275f723272114ef0357a8c3a246b47e"}]},{"name":"tls-cert-private","children":[{"name":"Dockerfile","path":"modules/tls-cert-private/Dockerfile","sha":"028aa72d434cf4bf28dff92d293e35a85b19fcf0"},{"name":"README.md","path":"modules/tls-cert-private/README.md","sha":"c6996ec25d7d9b1ab4f79d8164a14e86e1ac844f"},{"name":"docker-compose.yml","path":"modules/tls-cert-private/docker-compose.yml","sha":"f872026e8d51ceaab2e1c11cc9cf9c35ba81f29c"},{"name":"files","children":[{"name":"openssl.cnf","path":"modules/tls-cert-private/files/openssl.cnf","sha":"2542542c80ab180c47d3e0a27dbded65bed572de"}]},{"name":"scripts","children":[{"name":"generate-ca-keypair.sh","path":"modules/tls-cert-private/scripts/generate-ca-keypair.sh","sha":"395ee97c0e499c660efac5c5cf1f79dfcdbb69f8"},{"name":"generate-tls-keypair.sh","path":"modules/tls-cert-private/scripts/generate-tls-keypair.sh","sha":"f1c3577437fd589087704a9c003de416cb87d232"},{"name":"main.sh","path":"modules/tls-cert-private/scripts/main.sh","sha":"dc7af965ffb783bbef449010818e69294fa2ef75"}]}]}]},{"name":"test","children":[{"name":"Gopkg.lock","path":"test/Gopkg.lock","sha":"6689c8cc0cc6b75a2fd3b96cd4590c5171022fd9"},{"name":"Gopkg.toml","path":"test/Gopkg.toml","sha":"b1dfa116f26fb4b7d7fe6a524e1b5bb074f67365"},{"name":"README.md","path":"test/README.md","sha":"62b43a1b4268805a0a1fdcecd51f4068b07d37b1"},{"name":"auto_update_test.go","path":"test/auto_update_test.go","sha":"1d2a5906849c2ae62c65c0c5ce42a9ba20201f82"},{"name":"aws_config_test.go","path":"test/aws_config_test.go","sha":"df32a8831f033d011743adbc70a679a287f8d899"},{"name":"aws_organizations_config_rules_test.go","path":"test/aws_organizations_config_rules_test.go","sha":"873b1ea607fe800910a02aa5b5d72e1709e3d724"},{"name":"aws_organizations_test.go","path":"test/aws_organizations_test.go","sha":"2eead85751ec47bd1008b795621fa5cff4a2a262"},{"name":"cloudtrail_test.go","path":"test/cloudtrail_test.go","sha":"bfd0e35b8f08e14a55026de1e72a97e6e7f15342"},{"name":"cross_account_iam_roles_test.go","path":"test/cross_account_iam_roles_test.go","sha":"b7dd54b59acb03cb0c5a7581e15de61f4b901c36"},{"name":"custom_iam_entity_test.go","path":"test/custom_iam_entity_test.go","sha":"390cace437fd609e2ad5d81c77d7ffacb0d7555e"},{"name":"fail2ban_test.go","path":"test/fail2ban_test.go","sha":"ac5c2f060a8aefc96d6ddd60630b6c8826182dfc"},{"name":"iam_groups_test.go","path":"test/iam_groups_test.go","sha":"21d66e7dcdf43cb7725be7ed4c7c8c7eb34dab79"},{"name":"iam_ssm_test.go","path":"test/iam_ssm_test.go","sha":"48e1870a8882f4ad88bd5fb7fb018b33baee82a6"},{"name":"iam_user_password_policy_test.go","path":"test/iam_user_password_policy_test.go","sha":"1fb35eea4e93bd26aad51804094dda325a4893b0"},{"name":"iam_users_test.go","path":"test/iam_users_test.go","sha":"e4934196d3df5d2a506b92fcae3f65b6309eebb8"},{"name":"ip-lockdown-test-scripts","children":[{"name":"allow-several-users.sh","path":"test/ip-lockdown-test-scripts/allow-several-users.sh","sha":"2f75dbe0880ed0907b43db58b6ac030a0d0e9bd4"},{"name":"common.sh","path":"test/ip-lockdown-test-scripts/common.sh","sha":"cdfe11aca76607a4feaf254a394f32273b738c5c"},{"name":"index.html","path":"test/ip-lockdown-test-scripts/index.html","sha":"557db03de997c86a4a028e1ebd3a1ceb225be238"},{"name":"restrict-all-users.sh","path":"test/ip-lockdown-test-scripts/restrict-all-users.sh","sha":"a37c1ffc90f2532e7cc3f9f5a859b75c98661dc6"},{"name":"restrict-one-user.sh","path":"test/ip-lockdown-test-scripts/restrict-one-user.sh","sha":"4214e1c15102f4568d1e995aa82add46ee430237"},{"name":"sanity-check.sh","path":"test/ip-lockdown-test-scripts/sanity-check.sh","sha":"542ed72f4f0952ace67c9cbf2e5ac07e81e6870c"}]},{"name":"ip_lockdown_test.go","path":"test/ip_lockdown_test.go","sha":"8a523ee4446d8f114647bbe76102cf3b755e30d4"},{"name":"kms_master_key_test.go","path":"test/kms_master_key_test.go","sha":"f372cb4e061299de80e2d9b1594d3cd7aa5cf88b"},{"name":"ntp_test.go","path":"test/ntp_test.go","sha":"e4ec90a5d39ed012b87a32d5b0b27b299cd746e8"},{"name":"os_hardening_test.go","path":"test/os_hardening_test.go","sha":"d7b1de96445a8474e323bcde272c909379d11a10"},{"name":"saml_iam_roles_test.go","path":"test/saml_iam_roles_test.go","sha":"78ec14c02892e1cb3d7b5e36756bca532ae27dd2"},{"name":"ssh_grunt_houston_test.go","path":"test/ssh_grunt_houston_test.go","sha":"b8b4d0786e13432f86745acc8e4ae468561c17a7"},{"name":"ssh_grunt_iam_test.go","path":"test/ssh_grunt_iam_test.go","sha":"30c2bf25c90aef2a0f22cf5ed789af9e45e6c86e"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"018ca09c9888db5325fefb9774bad0b5f14670a0"},{"name":"test_helpers_aws_auth.go","path":"test/test_helpers_aws_auth.go","sha":"5be2449c8274695a1f27c235f4c70cbb2416b591"},{"name":"tls_cert_private_test.go","path":"test/tls_cert_private_test.go","sha":"5696a2f5113288b1d4da4327c2a44137ad662ecd"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"ip-lockdown-aws-example\">ip-lockdown AWS Example</h1><div class=\"preview__body--border\"></div><p>This is an example of a real world scenario where we demonstrate how\n<a href=\"/repos/v0.23.0/module-security/modules/ip-lockdown\" class=\"preview__body--description--blue\">ip-lockdown</a> can be invoked as part of <code>User Data</code> to automatically lock down the EC2 metadata IP upon\nstartup of an EC2 instance.</p>\n<p>The main motivation for locking down EC2 metadata is as follows:</p>\n<ol>\n<li>EC2 metadata gives you the credentials you need to assume any IAM role associated with the EC2 instance, and thereby, get all the permissions available in that IAM role.</li>\n<li>Locking down the metadata to, for example, only the root user, makes sure that if a hacker breaks into your server with a privileged user, they cannot get the full power of the IAM role.</li>\n</ol>\n<p>For example, we often give EC2 Instances access to a KMS key via an IAM role so that instance can decrypt secrets before booting. Using ip-lockdown ensures that only the root user can access that KMS key, and therefore, secrets, which is a big improvement to your security posture.</p>\n<h2 class=\"preview__body--subtitle\" id=\"quick-start\">Quick start</h2>\n<p>To build the AMIs:</p>\n<ol>\n<li>Install <a href=\"https://www.packer.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Packer</a></li>\n<li>Set your <a href=\"https://help.github.com/articles/creating-an-access-token-for-command-line-use/\" class=\"preview__body--description--blue\" target=\"_blank\">GitHub access token</a> as\nthe environment variable <code>GITHUB_OAUTH_TOKEN</code>.</li>\n<li>Run <code>packer build ../ip-lockdown-sample.json</code></li>\n</ol>\n<p>Running the Terraform Code</p>\n<ol>\n<li>Edit <code>vars.tf</code> and add your own values for: <code>aws_region</code> and <code>key_name</code>\n<ol>\n<li><code>aws_region</code> - This is the AWS region where your EC2 instance will be created. Ex: <code>us-east-1</code></li>\n<li><code>key_name</code> - This is the name of the AWS key pair you will use to ssh to this EC2 instance. To create a new key pair see <a href=\"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html?icmpid=docs_ec2_console#having-ec2-create-your-key-pair\" class=\"preview__body--description--blue\" target=\"_blank\">this guide</a></li>\n</ol>\n</li>\n<li>Run <code>terraform init</code></li>\n<li>Run <code>terraform plan</code>\n<ul>\n<li>Verify that you will be creating one new EC2 instance and one new security group to associate with that instance.</li>\n</ul>\n</li>\n<li>Run <code>terraform apply</code></li>\n</ol>\n<p>Verifying that <code>ip-lockdown</code> worked.</p>\n<ol>\n<li>\n<p>Check your <a href=\"https://console.aws.amazon.com/ec2\" class=\"preview__body--description--blue\" target=\"_blank\">EC2 Dashboard</a> for your new EC2 instance.</p>\n</li>\n<li>\n<p>SSH to your new EC2 instance</p>\n</li>\n<li>\n<p>Run <code>sudo iptables -L</code> and observe that there are now rules that block access for all users except <code>root</code>. Example below.</p>\n<pre>Chain INPUT (policy ACCEPT)\ntarget prot <span class=\"hljs-keyword\">opt</span> <span class=\"hljs-keyword\">source</span> destination \n\nChain FORWARD (policy ACCEPT)\ntarget prot <span class=\"hljs-keyword\">opt</span> <span class=\"hljs-keyword\">source</span> destination \n\nChain OUTPUT (policy ACCEPT)\ntarget prot <span class=\"hljs-keyword\">opt</span> <span class=\"hljs-keyword\">source</span> destination \nACCEPT <span class=\"hljs-keyword\">all</span> -- anywhere instance-data.ec2.internal owner UID <span class=\"hljs-keyword\">match</span> root\nREJECT <span class=\"hljs-keyword\">all</span> -- anywhere instance-data.ec2.internal reject-with icmp-port-unreachable\n</pre>\n</li>\n<li>\n<p>Try to curl metadata by doing <code>curl http://169.254.169.254/latest/meta-data/</code> (You should receive an error: <code>curl: (7) Failed to connect to 169.254.169.254 port 80: Connection refused</code>)</p>\n</li>\n<li>\n<p>Try to curl the metadata again: <code>sudo curl http://169.254.169.254/latest/meta-data/</code> (this should work)</p>\n</li>\n</ol>\n","repoName":"module-security","repoRef":"v0.21.4","serviceDescriptor":{"serviceName":"ssh-grunt","serviceRepoName":"module-security","serviceRepoOrg":"gruntwork-io","serviceMainReadmePath":"/modules/ssh-grunt","cloudProviders":["aws"],"description":"Manage SSH access to EC2 Instances using groups in AWS IAM or your Identity Provider (e.g., ADFS, Google, Okta, etc).","imageUrl":"grunt.png","licenseType":"subscriber","technologies":["Terraform","Go"],"compliance":[],"tags":[""]},"serviceCategoryName":"SSH access","fileName":"README.md","filePath":"/examples/ip-lockdown/aws-example","title":"Repo Browser: ssh-grunt","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}
.circleci
main.tf
