Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingress to the database is open from 0.0.0.0/0 on all ports #344

Open
alexpulver opened this issue Sep 17, 2020 · 3 comments
Open

Ingress to the database is open from 0.0.0.0/0 on all ports #344

alexpulver opened this issue Sep 17, 2020 · 3 comments
Assignees
@rajal-amzn
Labels
P-1 question Further information is requested

Comments

@alexpulver
Copy link
Contributor

Is there a reason to open ingress to the database from 0.0.0.0/0 on all ports? It doesn't seem to be needed, since there is an explicit reference to yelb-app-server security group.

aws-app-mesh-examples/blogs/ecs-service-connectivity/yelb/deployments/platformdeployment/AWS/ECS/yelb-cloudformation-ECS-AppMesh-deployment.yaml

Lines 517 to 530 in 1970235

YelbDbSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: yelb-db security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref YelbAppserverSecurityGroup
IpProtocol: tcp
ToPort: 5432
FromPort: 5432
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
ToPort: 65535
FromPort: 0
VpcId: !Ref 'VPC'

@alexpulver alexpulver changed the title Ingress to the database is open from 0.0.0.0/0 on all ports Ingress to the database is open from 0.0.0.0/0 on all ports Sep 17, 2020
@ganeshbch
Copy link

This could be a good resource https://www.stratoscale.com/blog/cloud/aws-security-groups-5-best-practices/ to resolve the issue.

@jamsajones jamsajones added question Further information is requested P-1 labels Oct 28, 2020
@bcelenza
Copy link
Contributor

bcelenza commented Oct 28, 2020
edited
Loading

@alexpulver You are correct, allowing all is not required for that security group. I'm currently working with the blog owner to correct that and a few other issues with this example.

@bcelenza bcelenza removed their assignment Dec 3, 2020
@jamsajones jamsajones self-assigned this Jan 6, 2021
@herrhound herrhound assigned rajal-amzn and unassigned jamsajones Apr 29, 2021
@alexpulver
Copy link
Contributor Author

@rajal-amzn @herrhound @jamsajones @bcelenza any chance this code can be updated?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rajal-amzn rajal-amzn

Labels
P-1 question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jamsajones @bcelenza @alexpulver @ganeshbch @rajal-amzn