New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit egress traffic to specific ranges and ports #255

Open

jamesbursa opened this issue Apr 18, 2023 · 0 comments

Labels

domain: security

Contributor

jamesbursa commented Apr 18, 2023

Currently the application security group allows egress traffic to all destinations and ports.

template-infra/infra/modules/service/main.tf

Lines 314 to 320 in a9c7665

    
           egress { 
        
             description = "Allow all outgoing traffic from application" 
        
             protocol    = "-1" 
        
             from_port   = 0 
        
             to_port     = 0 
        
             cidr_blocks = ["0.0.0.0/0"] 
        
           }

We should be able to limit this to slightly reduce the possibility of security exploits (e.g. data exfiltration).

Allow database port (5432 if PostgreSQL) to database security group
Allow https (443) to all ips (unfortunately difficult to limit this due to CDNs for services like ECR, New Relic, etc.

For an example see https://github.com/navapbc/archive-massgov-pfml/blob/68377051147d230ed62303bcee8d059fa02aca3e/infra/api/template/security_groups.tf#L36-L79

jamesbursa added the domain: security label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment