Source: Why do we need to allow so many Amazon/AWS IP addresses? - Genesys Cloud Resource Center (mypurecloud.com)

Is there a way to secure the large IP range needed, we're opening up our firewall to all AWS regions.
If a malicious service is spun up on that AWS region there is no way to monitor or restrict access

We have had a look at CIDR and Force Turn Servers but WebRTC's still need to perform signaling on port 443, does signaling get limited to the CIDR ranges or does it need the full AWS region addresses

Are there not generic CNAME's we can use for services?

Another firewall concern is access to *.s3.amazon.com needed for call recordings

Any help on how we can limit and secure this traffic would be very helpful
#Security

------------------------------
Louis Creely
AJ Bell Youinvest
------------------------------

That is kind of a misnomer.  You don't need to open the world to your internal services.  Most of everything in Genesys Cloud uses port 443 to communicate to the cloud and that is normally open to every site anyway.  As for the media ports, that is a defined group of IP's called the CIDR block and that needs to be allowed for the WebRTC and other communication between users and the cloud.  These are found here:  CIDR IP address range expansion for cloud media services - Genesys Cloud Resource Center (mypurecloud.com).  Most of the other services like data actions and SIP addressed are defined in the resource center. 

------------------------------
Robert Wakefield-Carl
TTEC Digital, LLC fka Avtex Solutions, LLC
Contact Center Innovation Architect
https://www.Avtex.com
https://RobertWC.Blogspot.com
------------------------------

Original Message:
Sent: 01-30-2023 08:30
From: Louis Creely
Subject: Why do we need to allow so many Amazon/AWS IP addresses?

Source: Why do we need to allow so many Amazon/AWS IP addresses? - Genesys Cloud Resource Center (mypurecloud.com)

Is there a way to secure the large IP range needed, we're opening up our firewall to all AWS regions.
If a malicious service is spun up on that AWS region there is no way to monitor or restrict access

We have had a look at CIDR and Force Turn Servers but WebRTC's still need to perform signaling on port 443, does signaling get limited to the CIDR ranges or does it need the full AWS region addresses

Are there not generic CNAME's we can use for services?

Another firewall concern is access to *.s3.amazon.com needed for call recordings

Any help on how we can limit and secure this traffic would be very helpful
#Security

------------------------------
Louis Creely
AJ Bell Youinvest
------------------------------