[SAM] Improve beanstalk security: introduce new security group for skill connectors

[binchoo]

As-is: I have my beanstalk application inside the "default VPC & subnet".

• If the ALB endpoint is exposed accidentally, this becomes a critical security problem. Because a malicious user can request any delete operation for resources of others via the exposed URL.

To-be:

• [ ] Make a private subnet and deploy the beanstalk app there.
• [ ] Configure a VPC Endpoint for DynamoDB.

[binchoo]

Options:

• VPC Links + NLB

• [x] Asking Kakaotalk to inform IP ranges of skill connectors + SG allowing inbound traffic from that range.

• Spring Security inspecting HTTP headers.

• Configuring NGINX.

• Installing a WAF at the API Gateway allowing inbound traffic from Kakaotalk's skill connectors.

  • Resource-based Policy for API Gateway is a preferred method.

[binchoo]

Creating a new SG for ikakao proxies

SGIkakaoBotProxy:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: "Security Group allowing inbound traffic from ikakao bot proxies"
    GroupName: SGIkakaoBotProxy
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 219.249.231.40/30

PaimonGanyuSkillConfigurationTemplate:
  Type: AWS::ElasticBeanstalk::ConfigurationTemplate
  Properties:
    Description: Configuration for PaimonGanyu KAKAOTALK Skill Server
    ApplicationName: !Ref PaimonGanyuSkillApplication
    SolutionStackName: 64bit Amazon Linux 2 v3.2.16 running Corretto 11
    OptionSettings:
      ...
      - Namespace: aws:autoscaling:launchconfiguration
        OptionName: SecurityGroups
        Value: !Ref SGIkakaoBotProxy
      ...

[binchoo]

Change of Impact

Now the security policy which https://github.com/binchoo/PaimonGanyu/issues/16#issuecomment-1200372227 describes is applied.