lijoyoung / cargildemo

A three tier architecture built and provisioned by terraform on AWS
0 stars 0 forks source link

Initial Review (Naren) #1

Open sekarnaren opened 5 years ago

sekarnaren commented 5 years ago

IGW is meant for ingress and not egress. you have to use NAT GW for egress.

 # Grant the VPC internet access on its main route table
resource "aws_route" "internet_access" {
  route_table_id         = "${aws_vpc.lijoDemoVPC.main_route_table_id}"
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = "${aws_internet_gateway.default.id}"
}

Its a good practice (infact secure practice) to allow ELB security group access to you web and flask app instead of VPC CIDR.

  # HTTP access from the VPC
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/16"]
  }

Better and secure to specific on the DB port (3306) for mysql RDS rather than a range 0 to 65535

# DB resources
resource "aws_security_group" "default" {
  name        = "main_rds_sg"
  description = "Allow all inbound traffic"
  vpc_id      = "${aws_vpc.lijoDemoVPC.id}"

  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "TCP"
    cidr_blocks = ["${var.cidr_blocks}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "${var.sg_name}"
  }
}
lijoyoung commented 5 years ago

All agreed. As you can clearly see, I couldn't get to tighten security coz of lack of time. A good example is the DB port (3306) for sure :)

lijoyoung commented 5 years ago

A few more security flaws when I reviewed: