AWS Client VPN
Table of Contents
AWS Client VPN is a OpenVPN service from AWS. It allows anyone with the correct permissions the ability to create a network path into your VPC. While this is typically a good thing, Client VPN can also act as an end-run around the corporate VPN if your VPCs leverage DirectConnect or Site-to-Site VPN. Because it can leverage AWS Active Directory, it can be configured independent of your corporate identity system and provide back doors for third parties and departed employees.
From the AWS Service Description:
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client. You are billed per active association per Client VPN endpoint on an hourly basis. You are billed for each client VPN connection per hour. Billing is pro-rated for the hour. (source)
Service Name: AWS Client VPN
Service Family: Networking & Content Delivery
Supports Resource Policies: No - But this service does have it’s own authentication capabilities
Service Pricing: Not Free
Service Webpage: https://aws.amazon.com/vpn/
Obviously, a misconfigured VPN in your environment can be a security risk. You should make a determination whether this service should be permitted in your environment, and if so under what conditions and configurations.
By default, when you have an AWS Client VPN endpoint, all client traffic is routed over the AWS Client VPN tunnel. (link) This means that all user traffic will go to your VPC then back out of AWS. At 9¢ per GB for egress, this has financial impacts. Split tunneling is available.
Effectively Leveraging Client VPN
MFA support is available if configured in AWS Active Directory or as required by your SAML identity provider.
Client VPN supports Authorization Rules which provide role based access to specific CIDR ranges. This can be used to limit access to specific subnets in the VPC, and to limit access to peered VPCs and On-Prem Networks.
All connection events are logged to CloudWatch Logs. You will want to monitor those logs via your SEIM.
Client VPNs support Security Groups which allows you to restrict the public IPs that can connect to the service.
Suggested Compliance Rules around Client VPN
- Authentication should use a trusted corporate identity store
- MFA should be required
- Connection Logs in CloudWatch logs should be sent to the central logging tool
- Split Tunneling should be enabled
- Networks access should be limited to only the specific networks required. Don’t let Client VPN be a way to laterally move throughout the network.
CloudTrail events of significance
Client VPN is part of the EC2 name space, so your eventSource will be “ec2.amazonaws.com”