Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-ec2): custom resource to close default security group for VPCs #16065

Closed
1 of 2 tasks
dontirun opened this issue Aug 16, 2021 · 2 comments
Closed
1 of 2 tasks

(aws-ec2): custom resource to close default security group for VPCs #16065

dontirun opened this issue Aug 16, 2021 · 2 comments
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@dontirun
Copy link
Contributor

dontirun commented Aug 16, 2021
edited
Loading

A closeDefaultSG option on VPCs that removes all inbound and outbound traffic rules on the default SG for VPCs

Use Case

When creating a VPC the default security group allows for all inbound and outbound traffic. For many organizations who follow compliances such as NIST 800-53, it is a common practice to close the default security group, as seen in this config rule

Proposed Solution

  1. add closeDefaultSG boolean option to VPC construct and/or closeDefaultSG method to IVPC
  2. Retrieve vpcDefaultSecurityGroup property from VPC
  3. Use a custom resource to check if default SG exists and remove all ingress and egress rules from default security group
  4. (Not sure about this one) Make sure custom resource executes every time a stack update is performed

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@dontirun dontirun added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 16, 2021
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Aug 16, 2021
@njlynch
Copy link
Contributor

njlynch commented Aug 24, 2021

Thanks for the feature request, @dontirun .

I don't think this makes sense as a member property on [I]VPC, as that would tie it to another VPC construct and feels a bit awkward from an API perspective.

The right way to go here is likely just to have a dedicated Construct which implements the custom resource, ignoring the tie to IVPC altogether. There are some interesting bits here, especially with regard to when the custom resource runs -- if it runs before other resources in the stack, you could delete all rules, and then have another construct/resource immediately add the rules back.

This seems tied somewhat to some of the general ideas in our Defaults & Config RFC - aws/aws-cdk-rfcs#25. There's a general question of patterns here for detecting, implementing, and/or enforcing various best practices and AWS Config rules. Given that, I would actually be a bit hesitant to accept a contribution for this construct into the core CDK. It might be best suited published as a separate construct, advertised on Construct Hub, and consumable by anyone who'd like to use it.

That being said, I'm open to arguments for inclusion in the CDK itself. For now, marking this as a p2 and unassigning, as we won't be working on this ourselves any time soon.

@njlynch njlynch added effort/medium Medium work item – several days of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 24, 2021
@njlynch njlynch removed their assignment Aug 24, 2021
@github-actions
Copy link

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Aug 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@njlynch @dontirun