Open sekarnaren opened 5 years ago
All agreed. As you can clearly see, I couldn't get to tighten security coz of lack of time. A good example is the DB port (3306) for sure :)
A few more security flaws when I reviewed:
the flask_sg (line 94) Should only have had ssh and port 5000 access from within VPC, not 0.0.0.0/0
same with db-security group (line 209)
the db-password is hard-coded in variable.tf file. (There must be some vault kind of feature in Terraform, but I need to figure that out) Or perhaps pick the password from host environment_variables
the db is not encyrpted. (line 253)
skip_final_snapshot = "true" so that its easy on demo and we can do 'terraform destroy' easily.
IGW is meant for ingress and not egress. you have to use NAT GW for egress.
Its a good practice (infact secure practice) to allow ELB security group access to you web and flask app instead of VPC CIDR.
Better and secure to specific on the DB port (3306) for mysql RDS rather than a range 0 to 65535