search

bcgov / cloud-pathfinder

This is the technology and UX backend repo for the cloud pathfinder ZenHub task board
https://app.zenhub.com/workspaces/cloud-pathfinder-5e4dbb426c3c6af8dcbf06a7/board?repos=241742911
Creative Commons Zero v1.0 Universal
2 stars 8 forks source link

Restrict/Alert on Security Group changes #3065

Closed NickCorcoran closed 1 month ago

NickCorcoran commented 2 months ago

Importance and Impact: Security Groups changes should be controlled to be modified with automated tools and not by humans to reduce the chances of inadvertent exposure

What if, someone were to inadvertently change this security group’s rules and enable FTP or other protocols to access the public subnet from any location on the Internet? That expanded access could weaken the security posture of your assets.

Recommendations: Ensure there is CloudWatch alarm created and configured in your AWS account to fire each time a security groups configuration change is made. This CloudWatch alarm must be triggered every time an AWS API call is performed to update security groups.

NickCorcoran commented 1 month ago

Existing SCPs prevent delete/updates to ASEA/LZA created security groups. This is done through tags.

NickCorcoran commented 1 month ago

Ministry projects can create/update their own security groups, but not the central ASEA/LZA changes.