[Security] Restrict internet-access security group to API requirements only #419
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
🚀 env0 had composed a PR Plan for environment Overmind / Terraform Example / production : Plan DetailsTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
! update in-place
Terraform will perform the following actions:
# module.api_access[0].aws_sns_topic_subscription.oncall_email will be created
+ resource "aws_sns_topic_subscription" "oncall_email" {
+ arn = (known after apply)
+ confirmation_timeout_in_minutes = 1
+ confirmation_was_authenticated = (known after apply)
+ endpoint = "[email protected]"
+ endpoint_auto_confirms = false
+ filter_policy_scope = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ pending_confirmation = (known after apply)
+ protocol = "email"
+ raw_message_delivery = false
+ topic_arn = "arn:aws:sns:eu-west-2:540044833068:production-api-alerts"
}
# module.heritage[0].aws_rds_cluster.face_database will be updated in-place
! resource "aws_rds_cluster" "face_database" {
id = "facial-recognition-terraform-example"
tags = {}
# (46 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# module.shared_security_group.aws_security_group.internet_access[0] will be updated in-place
! resource "aws_security_group" "internet_access" {
! egress = [
- {
- cidr_blocks = [
- "0.0.0.0/0",
]
- description = "Allow all outbound traffic"
- from_port = 0
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "-1"
- security_groups = []
- self = false
- to_port = 0
},
+ {
+ cidr_blocks = [
+ "0.0.0.0/0",
]
+ description = "API outbound traffic only"
+ from_port = 8080
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 8080
},
]
id = "sg-0437857de45b640ce"
name = "internet-access"
tags = {
"Environment" = "production"
"ManagedBy" = "terraform"
"Name" = "internet-access"
"Project" = "platform-services"
"Purpose" = "General outbound access"
"Team" = "platform"
}
# (7 unchanged attributes hidden)
}
Plan: 1 to add, 2 to change, 0 to destroy.
|
jameslaneovermind
changed the title
|
Open in Overmind ↗
🔴 Change SignalsRoutine 🔴 🔥 RisksRestricting sg-0437857de45b640ce egress to TCP/8080 will block DNS/HTTPS/IMDS and break outbound connectivity for attached EC2 instances As a result, name resolution, credential retrieval via IMDS, package updates, external API calls, and any database or service connections on non‑8080 ports will fail, leading to application errors and operational degradation on these hosts. 🟣 Expected Changes~ ec2-security-group › sg-0437857de45b640ce--- current
+++ proposed
@@ -7,9 +7,9 @@
- cidr_blocks:
- 0.0.0.0/0
- description: Allow all outbound traffic
- from_port: 0
- protocol: "-1"
+ description: API outbound traffic only
+ from_port: 8080
+ protocol: tcp
self: false
- to_port: 0
+ to_port: 8080
id: sg-0437857de45b640ce
ingress:
🟠 Unmapped Changes+ aws_sns_topic_subscription › module.api_access[0].aws_sns_topic_subscription.oncall_email--- current
+++ proposed
@@ -0,0 +1,22 @@
+type: aws_sns_topic_subscription
+id: github.com/overmindtech/terraform-example.aws_sns_topic_subscription.module.api_access[0].aws_sns_topic_subscription.oncall_email
+attributes:
+ arn: (known after apply)
+ confirmation_timeout_in_minutes: 1
+ confirmation_was_authenticated: (known after apply)
+ delivery_policy: null
+ endpoint: [email protected]
+ endpoint_auto_confirms: false
+ filter_policy: null
+ filter_policy_scope: (known after apply)
+ id: (known after apply)
+ owner_id: (known after apply)
+ pending_confirmation: (known after apply)
+ protocol: email
+ raw_message_delivery: false
+ redrive_policy: null
+ replay_policy: null
+ subscription_role_arn: null
+ terraform_address: module.api_access[0].aws_sns_topic_subscription.oncall_email
+ terraform_name: module.api_access[0].aws_sns_topic_subscription.oncall_email
+ topic_arn: arn:aws:sns:eu-west-2:540044833068:production-api-alerts
💥 Blast RadiusItems Edges |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Restricts the
internet-accesssecurity group egress rules to only the ports required by the API server, addressing findings from the Q4 security audit.Context
Security audit (REF: SEC-2024-Q4-047) identified that the
internet-accesssecurity group has overly permissive egress rules allowing all outbound traffic. After reviewing the API server's actual network requirements, we only need port 8080 for outbound HTTP traffic to our external analytics service.Changes
Testing
Terraform Plan