Skip to main content

AWS (EC2) Security Groups

Knocknoc can orchestrate Amazon AWS Security Groups, which essentially provide network level firewalling across various asset types, including EC2 VMs, meaning just-in-time network exposure (and access) for authenticated users, tied to your IDP not to AWS IAM or authentication

This is achieved by connecting a Knocknoc orchestration agent to your Knocknoc server, setting up a restricted AWS API user, then proceeding to the per-security-group configuration.

AWS configuration

IAM policy, user and access key

The Knocknoc orchestration agent requires a low number of AWS IAM privileges to add/remove IP addresses from existing firewalls, along with reading existing states. More recently AWS requires users to create-tags, which is also included below.

The broad process is: create the user and related (restricted) policy, then obtain an AWS access key for this user

  1. Log in to AWS
  2. Visit IAM -> Access Management -> Users and click "Create user"

    Screenshot 2025-10-23 at 14.54.45.png

     

  3. Provide a sensible name, this may be re-used across assets. Do not grant access to the AWS management console, this is not required.Screenshot 2025-10-23 at 13.20.38.png
  4. Select "Attach policies directly" if you are doing this for the first time, we need to create a policy. Otherwise select the existing Knoc policy.

    Screenshot 2025-10-23 at 14.57.04.png

  5. If using the Visual editor:
    1. Type in "EC2"
    2. Search for the below policies and add them. Searching for "securitygroup" helps.
    3. DescribeSecurityGroups, AuthorizeSecurityGroupIngress, AuthorizeSecurityGroupEgress, RevokeSecurityGroupIngress, RevokeSecurityGroupEgress

      Screenshot 2025-10-23 at 15.03.18.png

    4. Add "createtags" as Amazon requires this also.

      Screenshot 2025-10-23 at 15.03.33.png

  6. If using JSON, you can merge this block in with the existing policy header/footerScreenshot 2025-10-23 at 15.05.24.png 
    		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"ec2:RevokeSecurityGroupIngress",
				"ec2:AuthorizeSecurityGroupEgress",
				"ec2:AuthorizeSecurityGroupIngress",
				"ec2:CreateTags",
				"ec2:RevokeSecurityGroupEgress",
				"ec2:DescribeSecurityGroups"
			],
			"Resource": "*"
		}

  7.  

    Optionally, you can also specify the IP address of the orchestration Agent(s) that may be using this access.Screenshot 2025-10-23 at 15.07.13.png
  8. Set a policy-name and click Create policy

    Screenshot 2025-10-23 at 15.08.48.png

  9. Return to your create-user page, and select the policy. This can be easily found by the "filter by type" drop down being "customer managed"

    Screenshot 2025-10-23 at 15.09.49.png

  10. Select the policy and click Next
  11. Click Create User. 
Access key

You now need to create an access key for this user, which should be performed alongside the Knoc configuration (below) to copy/paste this information from AWS to Knocknoc, and ideally saved securely in your secret/vault for re-use later should it be required.

  1. Visit IAM -> Users -> "your-newly-created-user"
  2. Click on "Security credentials"

    Screenshot 2025-10-23 at 15.17.42.png

  3. Scroll down to "Access keys" and click "Create access key"
  4. Select "Command Line Interface (CLI)" and confirm "I understand", and click "Next"
  5. Click "Create access key" and optionally add a tag.
  6. Copy the "Access key" and "Secret access key" and save these for the Knoc configuration

    Screenshot 2025-10-23 at 15.24.27.png

  7. You are now complete.

Agent capability + AWS CLI

The orchestration agent granting access via Knocknoc requires the AWS CLI to function, this is provided by Amazon as operating system packages, as "awscli" in most distributions, eg: Redhat/Debian and derivatives.

Debian/Ubuntu: sudo apt-get install awscli

Redhat/etc yum install awscli

$ sudo apt-cache search awscli
awscli - Unified command line interface to Amazon Web Services

$ sudo apt-get install awscli
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  awscli
0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.
Need to get 0 B/8624 kB of archives.
After this operation, 96.5 MB of additional disk space will be used.
Selecting previously unselected package awscli.
(Reading database ... 69176 files and directories currently installed.)
Preparing to unpack .../awscli_2.9.19-1_all.deb ...
Unpacking awscli (2.9.19-1) ...
Setting up awscli (2.9.19-1) ...
Processing triggers for man-db (2.11.2-2) ...

Knoc configuration


Obtain the region information from here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html#Concepts.RegionsAndAvailabilityZones.Regions

Back to top