Prerequisites¶
- All steps in "Prepare Lambda Environment".
- SSH (or remote) access to
projectx-websvr-public.
Network topology¶
Overview¶
This guide prepares PostgreSQL on projectx-websvr-public so private-db-threat-intelligence-feed-pull can write into the database.
Step 1: Security group inbound rule (AWS)¶
The web serverโs security group projectx-prod-websvr-SG must allow inbound PostgreSQL from the Lambda security group.
-
Open the EC2 console ➔ Security Groups.
-
Select the security group attached to
projectx-websvr-public-SG. -
Edit inbound rules ➔ Add rule:
- Type: PostgreSQL (or Custom TCP)
- Port range: 5432
- Source type: Security group
- Source:
projectx-lambda-feed-SG -
Description:
Lambda threat intel ingest (private-db-threat-intelligence-feed-pull) -
Save rule.
Step 2: listen_addresses (postgresql.conf)¶
PostgreSQL must listen on an address reachable from the Lambda subnets, which is typically a Private IP Address.
postgresql.conf is a general configuration file which allows us to specify settings that will be applied to the PostgreSQL database, in this case, we will need to enable the database to listen on all addresses.
If listen_addresses stays at the default localhost, connections to 10.0.x.x:5432 from Lambda will never reach PostgreSQL even if the security group is correct.
- On the web server, find the active config file
/var/lib/postgresql/17/main/postgresql.conf:
You can find the configuration file here.
- Edit
postgresql.conf(withsudoand your editor of choice) and set:
or, more narrowly, list the private IP of the instance (For this environment, you can use listen_addresses of all).
๐ Keep it to listen to all addresses.
- Restart PostgreSQL so
listen_addressestakes effect.
Step 3: pg_hba.conf entries¶
pg_hba.conf is also another configuration file which controls which client addresses may connect, which database, which user, and which auth method. Lambda connects over TCP from an address in your VPC.
The order does matter with where to place the entries for pg_hba.conf.
So many configuration files...
- Show the file path:
- Edit
pg_hba.conf. Add lines above any overly broad or finalrejectrules, tailored to your network and role:
Example โ TLS + SCRAM (recommended for EC2_SSLMODE=require):
# Threat intel Lambda (VPC private subnets) โ adjust CIDR to your lab
hostssl projectxdb webapp_rw 10.0.0.0/16 scram-sha-256
Replace 10.0.0.0/16 with your VPC CIDR or a narrower subnet CIDR that covers Lambda ENI addresses if you prefer least privilege.
Step 4: Reload or restart PostgreSQL¶
After postgresql.conf and pg_hba.conf changes, let's issue a restart.
Step 5: Clone threat-intel-app folder.¶
The threat-intel-app web server application code set up on your machine is now going to be changed.
We will be updating threat-intel-app folder which contains web interface changes.
- Remove any previous
threat-intel-appfolder:
- Clone the official app from GitHub (Cloud Attacks 101):
git clone https://github.com/projectsecio/exercise-files.git
cp -r exercise-files/cloud-attacks-101/threat-intel-app /home/ubuntu/threat-intel-app
- (Optional) Remove the cloned
exercise-filesdirectory to keep your home clean:
You now have the latest threat-intel-app under /home/ubuntu/threat-intel-app ready for use and configuration.
Step 4: Add .env file to threat-intel-app¶
We must create a .env file for storing our secrets.
Under the /home/ubuntu/threat-intel-app, create a new .env file.
sudo nano .env
Add the following statements.
DB_HOST='Private IP Address'
DB_PORT=5432
DB_NAME=projectxdb
DB_USER='webapp_rw'
DB_PASSWORD='PASSWORD'
DB_SSLMODE=require
๐ Your Private IP Address associated with your projectx-websvr-public and your webapp_rw password, which you should have written down.
Step 6: Verification¶
From SSH session into the web server, let's issue a few verification commands.
Next Steps¶
We are now ready to move into our Lambda functions!