search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
531 stars 420 forks source link

Managed-AD Security Group Management #541

Open ktroy78 opened 3 weeks ago

ktroy78 commented 3 weeks ago

Is your feature request related to a problem? Please describe. I am frustrated that despite being able to create managed-AD via LZA, I am unable to use LZA or cfn to customise the default security groups.

Describe the feature you'd like When creating AWS ManagedAD, I would like to be able to modify/specify the security group rules as an option. Currently a default security group is attached, however this you can only manage this manually.

I would like a way to either override the defaults, or keeping the defaults add new inbound/outbound security-group rules, or attach a pre-existing sg instead of the original.

bo1984 commented 3 weeks ago

Hi @ktroy78 !

Thank you for reaching out and utilizing the Landing Zone Accelerator on AWS (LZA) solution. If you have the configuration instance set in your Managed AD configuration in LZA, you should be able to modify the securityGroupInboundSources property (example at the top of the page). Please let me know if this fits your use case. Otherwise I can check our backlog for an existing feature request and add this issue to it.

ktroy78 commented 3 weeks ago

hey @bo1984, I believe that the solution above would only configure the SG for ad-management-ec2-instnace and not for the managed AD itself. I would like to be able to actively modify just the actual managed-ad's sg and not the management ec2's.

This is because I rds instances within another account that need access to the managed-ad.

CirrusHQ-Pipeline-User commented 3 weeks ago

@bo1984 We can second what @ktroy78 is mentioning there.

Currently, we deploy AWS Managed AD via LZA into a SharedServices VPC which is created by a Networking Account shared to the SharedServices AWS Account. LZA Configures the AWS Managed AD within the SharedServices VPC but by default sets the Security Group on the AWS Managed AD Network Interfaces to allow relevant ports from the SharedServices VPC CIDR, as it hosts the Managed AD.

For our use case, where we also deploy other VPC's via the Networking Account and share those outwards to other AWS Accounts who can then place their Workloads into their respective shared VPC, we need to have the AWS Managed AD Network Interfaces Security Group updated to allow the traffic from the Workload VPC's which need to connect into the AWS Managed AD.

Currently, we couldn't find a native LZA way to do this as there is no properties to update the Security Group of the AWS Managed AD Network Interfaces. A simple property such as allowedCidrs would allow us to do this, in the similiar way that your resolver endpoint config allows us to do.

Thanks,