For this reason I want to completely automate the deployment of security devices in my AWS account. Over the next few blog posts we will be automating the use of a WatchGuard Firebox Cloud on AWS. I also want to only allow configuration from within the private network.
Here's a picture of what we are going to create.
The code can be found in this GitHub repository for automation of a WatchGuard Firebox Cloud on AWS.
The goal of this code is to completely configure our Firebox Cloud without leaving the private network by deploying only with code from source control.
Note that the Firebox Cloud by default opens up the required route to the subnet it lives in for management access. In order to access the CLI from a Lambda or EC2 instance we will need to put it in this same subnet. It is advisable to lock down management ports and/or create separate network interfaces and subnets for other resources that should not have access to the management interface and port.
Notice that in our diagram above the public ENI is an Internet-accessible subnet connected to the Internet Gateway. The private ENI is in a private subnet with no access outside of our VPC.
Along the way I'll explain some security best practices including those already explained in previous blog posts on secure access from Lambda to an S3 bucket.
For step by step instructions to run the code check out my Secplicity blog post on How to Automate Deployment of a WatchGuard Firebox Cloud on AWS.
Follow me on Twitter @TeriRadichel and at Secplicity for updates!