AWS Client VPN

AWS Client VPN is a OpenVPN service from AWS. It allows anyone with the correct permissions the ability to create a network path into your VPC. While this is typically a good thing, Client VPN can also act as an end-run around the corporate VPN if your VPCs leverage DirectConnect or Site-to-Site VPN. Because it can leverage AWS Active Directory, it can be configured independent of your corporate identity system and provide back doors for third parties and departed employees.

From the AWS Service Description:

AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client. You are billed per active association per Client VPN endpoint on an hourly basis. You are billed for each client VPN connection per hour. Billing is pro-rated for the hour. (source)

Service Summary

Service Name: AWS Client VPN
Service Family: Networking & Content Delivery
Supports Resource Policies: No - But this service does have it’s own authentication capabilities
Service Pricing: Not Free
Service Webpage: https://aws.amazon.com/vpn/

Security Risks

Obviously, a misconfigured VPN in your environment can be a security risk. You should make a determination whether this service should be permitted in your environment, and if so under what conditions and configurations.

Client VPN allows access to On-Prem via a Direct Connect or Site-to-Site VPN. It also allows access to peered VPCs.

By default, when you have an AWS Client VPN endpoint, all client traffic is routed over the AWS Client VPN tunnel. (link) This means that all user traffic will go to your VPC then back out of AWS. At 9¢ per GB for egress, this has financial impacts. Split tunneling is available.

Effectively Leveraging Client VPN

Authentication

Authentication can leverage AWS’s Active Directory, mutual certificates, or SAML based federation.

MFA support is available if configured in AWS Active Directory or as required by your SAML identity provider.

Authorization

Client VPN supports Authorization Rules which provide role based access to specific CIDR ranges. This can be used to limit access to specific subnets in the VPC, and to limit access to peered VPCs and On-Prem Networks.

Connection Logging

All connection events are logged to CloudWatch Logs. You will want to monitor those logs via your SEIM.

Network Security

Client VPNs support Security Groups which allows you to restrict the public IPs that can connect to the service.

Suggested Compliance Rules around Client VPN

1. Authentication should use a trusted corporate identity store
2. MFA should be required
3. Connection Logs in CloudWatch logs should be sent to the central logging tool
4. Split Tunneling should be enabled
5. Networks access should be limited to only the specific networks required. Don’t let Client VPN be a way to laterally move throughout the network.

CloudTrail events of significance

Client VPN is part of the EC2 name space, so your eventSource will be “ec2.amazonaws.com”

• AuthorizeClientVpnIngress indicates a new firewall rule was added to an existing Client VPN granting access to a network
• CreateClientVpnEndpoint will notify you if a Client VPN is created in your environment.
• ModifyClientVpnEndpoint will notify you if an approved Client VPN was modified