search

aws-samples / startup-kit-templates

CloudFormation templates to accelerate getting started on AWS.
Apache License 2.0
815 stars 400 forks source link

Incorrect security group ingress and egress #47

Closed chriskl closed 5 years ago

chriskl commented 5 years ago

The use of port ranges in three of the egress/ingress rules looks wrong in the VPC definition:

`Existing

BastionSecurityGroupToDbEgress:
    Type: AWS::EC2::SecurityGroupEgress  # prevent security group circular references
    Properties:
      GroupId: !Ref BastionSecurityGroup
      IpProtocol: tcp
      ToPort: 5432
      FromPort: 3306
      DestinationSecurityGroupId: !Ref DbSecurityGroup

`

That's opening thousands of ports! Perhaps it would be better to split it into two:

`New

BastionSecurityGroupToDbEgress:
    Type: AWS::EC2::SecurityGroupEgress  # prevent security group circular references
    Properties:
      GroupId: !Ref BastionSecurityGroup
      IpProtocol: tcp
      ToPort: 3306
      FromPort: 3306
      DestinationSecurityGroupId: !Ref DbSecurityGroup

BastionSecurityGroupToDbEgress:
    Type: AWS::EC2::SecurityGroupEgress  # prevent security group circular references
    Properties:
      GroupId: !Ref BastionSecurityGroup
      IpProtocol: tcp
      ToPort: 5432
      FromPort: 5432
      DestinationSecurityGroupId: !Ref DbSecurityGroup

`

rnzsgh commented 5 years ago

Hey Chris, thanks so much for pointing this out!

I created a PR that is under review:

https://github.com/aws-samples/startup-kit-templates/pull/48