I have a aws_directory_service_directory resource defined in a service, which creates a security group that allows ports 1024-65535 to be accessible from 0.0.0.0/0 and this is getting flagged by security hub because AWS CIS standards do not recommend allowing ingress from 0.0.0.0/0 for TCP port 3389.
My question is on how to restrict some of the rules in the resultant security group that gets created by the aws_directory_service_directory resource. How do you remediate this using terraform on a resource that is a by-product of another?
Related
I am trying to access my EC2 instance configured with elasticsearch from a configured lambda function.
I've added the lambda function to the same VPC and security group as the EC2 instance. I am not sure; what's causing the issue ?
I've EC2FullAccess permissions from lambda function
The correct security configuration should be:
A security group on the Lambda function (Lambda-SG). It does not require any Inbound rules. Leave the Outbound rules as standard 'allow all'.
A security group on the EC2 instance (Elasticsearch-SG) that allows Inbound connections on the desired port (9200?) from the Lambda-SG.
That is, Elasticsearch-SG specifically allows inbound connections from Lambda-SG.
Please note that security group rules apply to each instance individually. Putting two resources 'in' the same security group does not permit access between those resources unless there is a rule that allows inbound access from itself. Thus, it is better to put different security groups on each layer of resources.
There is no need to assign EC2FullAccess permissions to the Lambda function. That is only used to call AWS to do things like launching or terminating EC2 instances.
How can I access an Elasticsearch Service instance from a Lambda function without applying an IAM role?
You will want to configure two Security Groups:
Configure the Lambda function to use the VPC.
Create a Lambda Security Group (Lambda-SG) and configure the Lambda function to use it.
Create an ElasticSearch Security Group (ES-SG) and configure ElasticSearch to use it.
In ES-SG, add a rule to permit inbound connections from Lambda-SG on port 9300 (or whatever port your ES is using).
That is, ES-SG should refer to Lambda-SG to permit inbound connections.
You need to provide an IAM role for a lambda function and provide the IAM role access to ES.
If your Lambda runs within a VPC, you can configure the ElasticSearch access policy to an IP-based policy.
AWS does provide samples for various kinds of access policies.
IP based access policy
I have a database server on a EC2 instance, I want it to accessible by Elastic Load Balancer cluster.
I tried adding the subnet of the Load Balancer security groups of database EC2.
There must be some way to give whole cluster of EC2 instance created ELB and autoscalling, access to single EC2.
Your question isn't too clear, but it appears your scenario is:
Internet -> ELB -> EC2 fleet -> Database (on EC2 instance)
You have a database running on a single EC2 instance
You have multiple EC2 instances running an application that connect to the database
You have an Elastic Load Balancer that accepts traffic from the Internet and distributes it to the EC2 instances running the application
You should configure the following Security Groups:
ELB-SG: Configure this security group to allow incoming web traffic from the Internet (0.0.0.0/0). Associate the security group to the Load Balancer.
App-SG: Configure this security group to allow incoming web traffic from ELB-SG. Associate the security group with every instance in the application fleet. If the EC2 instances are launched via Auto Scaling, then associate the security group with the Launch Configuration.
DB-SG: Configure this security group to allow incoming traffic from App-SG. Associate the security group to the EC2 instance running the database.
When I say "allow incoming traffic from xxx-SG", I mean that you should enter the name of the incoming security group in the Source field when configuring the security group. This will automatically insert the unique name of the security group (sg-xxxx). It means that any resource associated with the referenced security group will be allowed incoming access on the nominated port.
You should avoid using an IP address or CIDR range in a security group, because they can change (eg if you launch another EC2 instance). By referencing a security group by name, it will automatically update as instances are added/removed.
so I limited my inbound and outbound in my security group policy to my ip only, however, I find that I can access it from any other IP address. does the ec2 instance need to be restarted in order to reflect the new security group policy?
No instance need not be restarted for applying security policy.
You need to check if there are multiple security-group's attached to instance.
For testing purposes, I set up a VPC on Amazon and created an instance within the VPC. I've added a gateway for the 0.0.0.0/0 address to the attached routing table, and given the instance an elastic IP address. I'm unable to ssh or ping it, even when I set the security group to allow all traffic. I must be missing something obvious. What am I doing wrong?
It turns out that when I created the instance, I accepted the default security group, which only allows access from a specific IP address. When I added another instance, I created it with a security group which allowed all traffic, and I was able to ping it.