search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.03k stars 323 forks source link

Support for disabling port-forwarding across IP ranges #480

Open fractos opened 1 year ago

fractos commented 1 year ago

Something that has come up recently is a requirement for an SSM-connected Bastion instance to be policed as to what target addresses it should be allowed to port-forward to.

While investigating this I found the Mgs.DeniedPortForwardingRemoteIPs list in the configuration file, and saw how it was being used in the port plugin logic.

Although this gives you the ability to forbid IP addresses from port-forwarding, it only allows you to specify those as individual addresses. The use-case I am working with currently is that targets should be possible to be disallowed across a range of IP addresses described by a CIDR.

This looked to be easy to add and I have prepared a commit in a forked repository which I will attach here for feedback.

yuting-fan commented 3 months ago

Hi @fractos , your feature request is noted down. Thank you for the pull request as well.