Closed chriskl closed 5 years ago
The use of port ranges in three of the egress/ingress rules looks wrong in the VPC definition:
`Existing
BastionSecurityGroupToDbEgress: Type: AWS::EC2::SecurityGroupEgress # prevent security group circular references Properties: GroupId: !Ref BastionSecurityGroup IpProtocol: tcp ToPort: 5432 FromPort: 3306 DestinationSecurityGroupId: !Ref DbSecurityGroup
`
That's opening thousands of ports! Perhaps it would be better to split it into two:
`New
BastionSecurityGroupToDbEgress: Type: AWS::EC2::SecurityGroupEgress # prevent security group circular references Properties: GroupId: !Ref BastionSecurityGroup IpProtocol: tcp ToPort: 3306 FromPort: 3306 DestinationSecurityGroupId: !Ref DbSecurityGroup BastionSecurityGroupToDbEgress: Type: AWS::EC2::SecurityGroupEgress # prevent security group circular references Properties: GroupId: !Ref BastionSecurityGroup IpProtocol: tcp ToPort: 5432 FromPort: 5432 DestinationSecurityGroupId: !Ref DbSecurityGroup
Hey Chris, thanks so much for pointing this out!
I created a PR that is under review:
https://github.com/aws-samples/startup-kit-templates/pull/48
The use of port ranges in three of the egress/ingress rules looks wrong in the VPC definition:
`Existing
`
That's opening thousands of ports! Perhaps it would be better to split it into two:
`New
`