cloud/awscloud: restrict network egress for secure instance
The security instance should no longer have any internet access.
This commit is contained in:
Sanne Raymaekers
parent
56bdcf1cdc
commit
79b5b736e9
1 changed files with 68 additions and 1 deletions
|
|
@ -277,9 +277,76 @@ func (a *AWS) createOrReplaceSG(hostInstanceID, hostIP, vpcID string) (string, e
|
|||
if len(describeSGOutput.SecurityGroups) != 1 {
|
||||
return sgID, fmt.Errorf("Expected 1 security group, got %d", len(describeSGOutput.SecurityGroups))
|
||||
}
|
||||
|
||||
if len(describeSGOutput.SecurityGroups[0].IpPermissionsEgress) != 1 {
|
||||
return sgID, fmt.Errorf("Expected exactly 1 egress rule on the security group (got %d)", len(describeSGOutput.SecurityGroups[0].IpPermissionsEgress))
|
||||
}
|
||||
|
||||
describeSGROutput, err := a.ec2.DescribeSecurityGroupRules(&ec2.DescribeSecurityGroupRulesInput{
|
||||
Filters: []*ec2.Filter{
|
||||
&ec2.Filter{
|
||||
Name: aws.String("group-id"),
|
||||
Values: []*string{
|
||||
aws.String(sgID),
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return sgID, err
|
||||
}
|
||||
|
||||
for _, rule := range describeSGROutput.SecurityGroupRules {
|
||||
if *rule.IsEgress {
|
||||
revokeOutput, err := a.ec2.RevokeSecurityGroupEgress(&ec2.RevokeSecurityGroupEgressInput{
|
||||
GroupId: aws.String(sgID),
|
||||
SecurityGroupRuleIds: []*string{
|
||||
rule.SecurityGroupRuleId,
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return sgID, err
|
||||
}
|
||||
if !*revokeOutput.Return {
|
||||
return sgID, fmt.Errorf("Failed to revoke security group %s's egress rule %s", sgID, *rule.SecurityGroupRuleId)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sgEgressOutput, err := a.ec2.AuthorizeSecurityGroupEgress(&ec2.AuthorizeSecurityGroupEgressInput{
|
||||
GroupId: aws.String(sgID),
|
||||
IpPermissions: []*ec2.IpPermission{
|
||||
&ec2.IpPermission{
|
||||
IpProtocol: aws.String(ec2.ProtocolTcp),
|
||||
FromPort: aws.Int64(1),
|
||||
ToPort: aws.Int64(65535),
|
||||
IpRanges: []*ec2.IpRange{
|
||||
&ec2.IpRange{
|
||||
CidrIp: aws.String(fmt.Sprintf("%s/32", hostIP)),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return sgID, err
|
||||
}
|
||||
if !*sgEgressOutput.Return {
|
||||
return sgID, fmt.Errorf("Unable to attach egress rules to SG")
|
||||
}
|
||||
|
||||
describeSGOutput, err = a.ec2.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{
|
||||
GroupIds: []*string{
|
||||
aws.String(sgID),
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return sgID, err
|
||||
}
|
||||
|
||||
// SGs are created with a predefind egress rule that allows all outgoing traffic, so expecting 1 outbound rule
|
||||
if len(describeSGOutput.SecurityGroups[0].IpPermissions) != 1 || len(describeSGOutput.SecurityGroups[0].IpPermissionsEgress) != 1 {
|
||||
return sgID, fmt.Errorf("Expected 3 security group rules: 1 inbound (got %d) and 1 outbound (got %d)",
|
||||
return sgID, fmt.Errorf("Expected 2 security group rules: 1 inbound (got %d) and 1 outbound (got %d)",
|
||||
len(describeSGOutput.SecurityGroups[0].IpPermissions), len(describeSGOutput.SecurityGroups[0].IpPermissionsEgress))
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue