search

hashicorp / terraform-aws-vault

A Terraform Module for how to run Vault on AWS using Terraform and Packer
Apache License 2.0
658 stars 465 forks source link

Question about security group #107

Open cytopia opened 6 years ago

cytopia commented 6 years ago

Dear Maintainer,

I have a couple of questions regarding your security group definitions.

My goal is to have least possible access and only access the vault servers via its ELB from anywhere. Apart from that each of the servers (vault and consul) should have very strict rules as there are also other EC2 instances in the same VPC which should NOT be able to access the,.

vault_cluster.allowed_inbound_cidr_blocks

Is this supposed to be HTTPS access to each of the vault clusters? Is it sufficient, if I only allow the Vault ELB as inbound or does each vault cluster also need to talk to the other vault clusters?

module "vault_cluster" {
  ...
  allowed_inbound_cidr_blocks          = ["0.0.0.0/0"]
  ...
}

security_group_rules.allowed_inbound_cidr_blocks

Is it safe to only specify the CIDR of the consul clusters or do I need external access here?

module "security_group_rules" {
  ...
  allowed_inbound_cidr_blocks          = ["0.0.0.0/0"]
  ...
}

consul_cluster.allowed_inbound_cidr_blocks

What exactly needs to connect to the consul cluster as the safest minimum?

module "consul_cluster" {
  ...
  allowed_inbound_cidr_blocks = ["0.0.0.0/0"]
  ...
}
brikis98 commented 6 years ago

Is this supposed to be HTTPS access to each of the vault clusters? Is it sufficient, if I only allow the Vault ELB as inbound or does each vault cluster also need to talk to the other vault clusters?

If you only want access via the ELB, then set allowed_inbound_cidr_blocks to an empty list and set allowed_inbound_security_group_ids to the security group of the ELB.

Is it safe to only specify the CIDR of the consul clusters or do I need external access here?

The Consul agents should be accessible from Vault and Consul. Ad both of their security group IDs to allowed_inbound_security_group_ids.

What exactly needs to connect to the consul cluster as the safest minimum?

Consul should be accessible from Vault. Add its security group IDs to allowed_inbound_security_group_ids.

cytopia commented 6 years ago

@brikis98 thanks for the reply. I dug a little deeper into this and am in need of some more clarifications. I'm a bit lost at the moment and want to ensure that I give out the least possible privileges. I will put it as simple yes/no so I can make sure I only have what I really need.

Vault

8301 (consul agent port?)

In your example 8301 is allowing TCP and UDP.

  1. Does the vault instance need to allow inbound TCP on 8301 from itself?
  2. Does the vault instance need to allow inbound TCP on 8301 from other vault instances?
  3. Does the vault instance need to allow inbound TCP on 8301 from consul instances?
  4. Does the vault instance need to allow inbound UDP on 8301 from itself?
  5. Does the vault instance need to allow inbound UDP on 8301 from other vault instances?
  6. Does the vault instance need to allow inbound UDP on 8301 from consul instances?

8201 (Vault HA port?)

In your example 8201 is only allowing TCP.

  1. Does the vault instance need to allow inbound TCP on 8201 from itself?
  2. Does the vault instance need to allow inbound TCP on 8201 from other vault instances?
  3. Does the vault instance need to allow inbound TCP on 8201 from consul instances?

Consul

8300 (server rpc port)

In your example 8300 is only allowing TCP.

  1. Does the consul instance need to allow inbound TCP on 8300 from itself?
  2. Does the consul instance need to allow inbound TCP on 8300 from other consul instances?
  3. Does the consul instance need to allow inbound TCP on 8300 from vault instances?

8301 (lan port)

In your example 8301 is allowing TCP and UDP.

  1. Does the consul instance need to allow inbound TCP on 8301 from itself?
  2. Does the consul instance need to allow inbound TCP on 8301 from other consul instances?
  3. Does the consul instance need to allow inbound TCP on 8301 from vault instances?
  4. Does the consul instance need to allow inbound UDP on 8301 from itself?
  5. Does the consul instance need to allow inbound UDP on 8301 from other consul instances?
  6. Does the consul instance need to allow inbound UDP on 8301 from vault instances?

8302 (wan port???)

In your example 8302 is allowing TCP and UDP.

As the name says serf_wan_port, is this actually required for a setup in a single VPC?

  1. Does the consul instance need to allow inbound TCP on 8302 from itself?
  2. Does the consul instance need to allow inbound TCP on 8302 from other consul instances?
  3. Does the consul instance need to allow inbound TCP on 8302 from vault instances?
  4. Does the consul instance need to allow inbound UDP on 8302 from itself?
  5. Does the consul instance need to allow inbound UDP on 8302 from other consul instances?
  6. Does the consul instance need to allow inbound UDP on 8302 from vault instances?

8500 (api port?)

In your example 8500 is only allowing TCP.

  1. Does the consul instance need to allow inbound TCP on 8500 from itself?
  2. Does the consul instance need to allow inbound TCP on 8500 from other consul instances?
  3. Does the consul instance need to allow inbound TCP on 8500 from vault instances?

8600 (dns port?)

In your example 8600 is allowing TCP and UDP.

  1. Does the consul instance need to allow inbound TCP on 8600 from itself?
  2. Does the consul instance need to allow inbound TCP on 8600 from other consul instances?
  3. Does the consul instance need to allow inbound TCP on 8600 from vault instances?
  4. Does the consul instance need to allow inbound UDP on 8600 from itself?
  5. Does the consul instance need to allow inbound UDP on 8600 from other consul instances?
  6. Does the consul instance need to allow inbound UDP on 8600 from vault instances?

Others

cli rpc port

I also see Consul inbound 8400/tcp from vault and 0.0.0.0/0 by the default example, however no vault instance exposes this port, or am I missing something here?

Thanks for your time.