[AWS] Firewall not blocking non-HTTPS/HTTP traffic to non-allow listed FQDNs

databricks / terraform-databricks-sra

The Security Reference Architecture (SRA) implements typical security features as Terraform Templates that are deployed by most high-security organizations, and enforces controls for the largest risks that customers ask about most often.

Other

57 stars 27 forks source link

[AWS] Firewall not blocking non-HTTPS/HTTP traffic to non-allow listed FQDNs #33

Closed JDBraun closed 6 months ago

JDBraun commented 6 months ago

Firewall is currently allowing non-HTTPS or HTTP traffic due to no corresponding drop rule

jdbraun-db commented 6 months ago

This is a priority issue and is currently being worked on. Due to a limitation in the AWS network firewall, HTTP/HTTPS traffic is inspected and limited, but other traffic such as on port 3306 is not being limited to the FQDN's in the allow list. To mitigate in the short term, a user can drop the required traffic in the "firewall_protocol_deny_list" variable, then use derby configs with Unity Catalog.

https://kb.databricks.com/metastore/set-up-embedded-metastore

jdbraun-db commented 6 months ago

Currently addressed in this PR: https://github.com/databricks/terraform-databricks-sra/pull/35 will continue to asses other traffic as need be