Closed binchoo closed 2 years ago
Options:
VPC Links + NLB
[x] Asking Kakaotalk to inform IP ranges of skill connectors + SG allowing inbound traffic from that range.
Spring Security inspecting HTTP headers.
Configuring NGINX.
Installing a WAF at the API Gateway allowing inbound traffic from Kakaotalk's skill connectors.
SGIkakaoBotProxy:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security Group allowing inbound traffic from ikakao bot proxies"
GroupName: SGIkakaoBotProxy
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 219.249.231.40/30
PaimonGanyuSkillConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
Description: Configuration for PaimonGanyu KAKAOTALK Skill Server
ApplicationName: !Ref PaimonGanyuSkillApplication
SolutionStackName: 64bit Amazon Linux 2 v3.2.16 running Corretto 11
OptionSettings:
...
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value: !Ref SGIkakaoBotProxy
...
Now the security policy which https://github.com/binchoo/PaimonGanyu/issues/16#issuecomment-1200372227 describes is applied.
As-is: I have my beanstalk application inside the "default VPC & subnet".
To-be:Make a private subnet and deploy the beanstalk app there.Configure a VPC Endpoint for DynamoDB.