Well I can only guess so much of the underlying egress internet routing of AWS. At worst, if no explicit region is specified, it will reach the global aws endpoint through internet which is likely in a complete different part of the world than where you are, redirect to the local endpoint, and back.
> what’s the risk here?
Minimal, though I'm not sure the question is really relevant.
It's a bit as if you design a house with no internal doors, and you have to get out the window and back through the front door whenever you want to change room. I guess that wouldn't make you house less safe, though it's definitely a design that smells weird.
There is a real security point to make on the fact that it forces you to open access to egress internet though, and that is not to be taken lightly. There is no reason to allow a server full egress internet, and accessing AWS through internet basically forces you to do so, or leaves you implementing DNS based firewalling which is error prone, less secure, and overall a pain to setup.
> unless something has changed in the last three months they’re not available for all services. would you advocate against using those services?
No. Though I would (and do) strongly recommend implementing either DNS based firewalling, or a dynamic ruleset based on AWS ip ranges (they publish it as JSON).
> Well I can only guess so much of the underlying egress internet routing of AWS.
> At worst, if no explicit region is specified, it will reach the global aws endpoint through internet which is likely in a complete different part of the world than where you are, redirect to the local endpoint, and back.
"When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network. Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions."
In practice there is not much risk from accessing AWS services using public endpoints, you just need to take AWS at their word.
Well I can only guess so much of the underlying egress internet routing of AWS. At worst, if no explicit region is specified, it will reach the global aws endpoint through internet which is likely in a complete different part of the world than where you are, redirect to the local endpoint, and back.
> what’s the risk here?
Minimal, though I'm not sure the question is really relevant.
It's a bit as if you design a house with no internal doors, and you have to get out the window and back through the front door whenever you want to change room. I guess that wouldn't make you house less safe, though it's definitely a design that smells weird.
There is a real security point to make on the fact that it forces you to open access to egress internet though, and that is not to be taken lightly. There is no reason to allow a server full egress internet, and accessing AWS through internet basically forces you to do so, or leaves you implementing DNS based firewalling which is error prone, less secure, and overall a pain to setup.
> unless something has changed in the last three months they’re not available for all services. would you advocate against using those services?
No. Though I would (and do) strongly recommend implementing either DNS based firewalling, or a dynamic ruleset based on AWS ip ranges (they publish it as JSON).