AWS - Private VPC Multiuser access to specific servers

Question

I need some suggestions for best practicality, security and maintainability

The scenario is:

• We have a private VPC with some servers,
• We have users that can access server A and A only
• Some users can access A, and B.
• Other only B and so on.

They need to access to theses servers from home and office.

The current idea is having a multiuser OpenVPN server with IPTables blocking access to the servers that the user can't access

Is there another option using AWS tools (VPCs,Security Groups, ACLs, Load Balancers, or others)?

Or other solutions better than this one?

---

Draw of current arch:

• One boundary server that does the bridge from the open world to the Private VPC (With OpenVpn and IPTables)
• 5 servers inside the private VPC
• 10 Users with different levels of access

Thanks

Answer 1

Use AWS IAM to manage user access and permissions.

For your scenario, you can create 3 groups: Server A, Server B, Server AB.

Then attach IAM policy to each group. The policies will restrict access to specific EC2 only.

Sample Policy that may work for you (via https://aws.amazon.com/premiumsupport/knowledge-center/restrict-ec2-iam/ )

{    "Version":"2012-10-17",    "Statement":[
      {
         "Effect":"Allow",
         "Action":"ec2:Describe*",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "ec2:StartInstances",
            "ec2:StopInstances",
            "ec2:RebootInstances"
         ],
         "Resource":[
            "arn:aws:ec2:us-east-1:111122223333:instance/*"
         ],
         "Condition":{
            "StringEquals":{
               "ec2:ResourceTag/Owner":"Bob"
            }
         }
      }    ] }

Dont forget to replace the Owner, Bob, and AWS Region with parameters from your environment.

For connectivity you can set them up with AWS Systems Manager. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html