Open galenatjpl opened 3 months ago
jpl-btlunsfo
commented
1 month ago These PRs (unity-proxy#6 & unity-cs-infra#99) should handle locking down the venue ALB per
Make sure the httpd ECS is only accessible from the venue ALB (ECS should be in private subnet)
However, this does not include moving the management console or the ECS venue services proxy to the private subnet- is that a hard requirement?
galenatjpl
commented
1 month ago @jpl-btlunsfo The Management Console EC2 is already inside a private subnet. I just verified this on unity-venue-dev. The ECS venue proxy is in the public subnet, but I think this is okay for now. I'm not sure if there is a hard requirement to move this at this time. I know that moving the ECS into a private subnet is mentioned in the description of this ticket, but I feel like perhaps that is too much change at this time. If you think it is easy, and wouldn't impact too many things, then lets do it. If you feel like that the juice isn't worth the squeeze at this point, then let's re-write the description of this ticket, and open a future ticket to investigate this. The overall point of this ticket is to make sure things are locked down, and that may or may not require certain components to actually be in private subnets.
The Management Console should not be accessible to anyone with the URL. It needs to be locked down, starting from the entry point in the shared services. This means that the necessary security groups and other necessary access rules need to be in place along the chain.
So, for example:
venue account reach out to shared services. See: https://unity-sds.gitbook.io/docs/developer-docs/common-services/docs/users-guide/deployment/shared-services-deployment. for instructions on how to access cross-account SSM params.