search

aws-samples / service-catalog-engine-for-terraform-os

Apache License 2.0
128 stars 40 forks source link

fix: remove inbound ssh traffic authorization #55

Closed ericwestfall closed 1 year ago

ericwestfall commented 1 year ago

Summary

This commit removes all ingress traffic authorizations from the security group attached to the TRE execution instances to reduce the attack surface of the TRE execution instances.

  1. Removes the ingress rule that previously authorized inbound connections to port tcp/22 from unrestricted networks (e.g., 0.0.0.0/0) by default.

  2. Replaces the egress rule that permitted all outbound traffic to any destination with rules that limit egress traffic to http/80 and https/443 to 0.0.0.0/0.

Testing

These changes were successfully deployed to both a pre-existing TRE environment and a completely new TRE environment. All AWS Service Catalog operations related to the TRE components (e.g., CreateProvisionedProduct, UpdateProvisionedProduct, and TerminateProvisionedProduct) were successfully tested in a multi-account AWS Control Tower environment, to include portfolios shared directly with account principals and through AWS Organizations.

See V945951784 for additional testing details.

smaly-amazon commented 1 year ago

@zipengw27,

It is a known limitation with VPC and related resources that updating or deleting will often be blocked by that error, and that manual steps must be taken. There's no way around this right now, and it has existed for a long time.

It is discussed here, for example, when deleting a VPC. But the same applies to updating VPC-related resources.

https://repost.aws/knowledge-center/troubleshoot-dependency-error-delete-vpc