AWS Virtual Private Cloud Security Groups based on MAC address

Question

We currently have an Amazon VPC containing several instances, all using the same security group.

Unfortunately, we have off-site staff who connect to our network via VPN. These users have an elastic IP address, meaning we're finding it tough to give them reliable access via the security group.

Does anyone know of a way of giving access via MAC address? Its the only solution i can think of other than arranging for them to have static IP's. Any ideas? Haven't been able to find a thing elsewhere online!

Cheers,

Answer 1

Per the security group documentation, only IP addresses/networks in CIDR notation and security group IDs are permitted as rules. You cannot use DNS, nor is there a straightforward way to allow access from a dynamic IP address such as in the case of your off-site staff.

You could set up a jump/bastion host in your VPC, harden it properly, allow access from everywhere to that jump host, and then allow that jump host to access your other instances in the VPC.

Alternatively, Dome9 offers a nifty service that adds an extension to users browsers to permit temporary access. Basically you authorize Dome9 to make changes to your security group. The user clicks the browser extension, Dome9 changes the security group to allow access from that user's IP address for some amount of time, and removes the rule when the time is up.