Turbot Managed AWS Security Groups

Overview

Turbot provides a number of ways to manage AWS Security Groups:

  1. Turbot - Defined and managed by Turbot.
  2. Turbot Managed - Defined through Customer Policies, managed by Turbot.
  3. Custom - Defined and managed in AWS. Guardrail within Turbot.

This document outlines how Turbot Managed AWS Security Groups can be defined and best practices for their use.

Motivation

AWS Security Groups are a key security control, limiting both ingress and egress to resources. It’s important they are well managed, clearly defined, and in control.

Security Groups are also a key point of customization with many different applications requiring specific definitions and enterprise environments often having specific locations for services.

Turbot’s built in security groups cover many common cases (e.g. web_public, db_private), but cannot be an exhaustive approach.

Managing common security groups at scale across accounts is a challenging problem:

  • Different security groups are required in different accounts.
  • Security group rules require local information like CIDR ranges.
  • Allowing management of custom rules, while protecting common rules requires highly complex IAM definitions.
  • Drift detection and management is difficult with configuration management tools like CloudFormation or Terraform.

Turbot Managed security groups provide a simple, policy based definition, with full automation of deployment and management over time.

Policy based definition

Turbot Managed security groups are defined in the VPC > Security Group Extended Rules policy. Turbot will ensure the policy exists and is defined exactly as specified. Any drift will be detected and repaired.

These security groups are not subject to Turbot Guardrails, instead this definition is considered definitive and approved.

Policies are subject to the usual Turbot capabilities:

  • Set as Policy to prevent changes.
  • Set as Recommended to provide a default, but allow customization.
  • Use Turbot::Inherit to build on higher level policies.

YAML Format and Examples

VPC > Security Group Extended Rules is a YAML array of Security Group definitions. They have all the basic capabilities of Turbot policy YAML arrays.

A simple security group definition is:

- my_sg_simple_ingress:
    description: Allow ingress on 1234 from 10.1.0.0/16.
    ipRules:
      - from: '10.1.0.0/16'
        fromPort: 1234

Unlike AWS security groups, Turbot does NOT automatically add an egress to all rule if no egress rules are defined. Egress rules can be added to security groups as follows:

- my_sg_simple_egress:
    description: Allow egress on 123 to 192.168.1.0/24.
    ipRules:
      - direction: 'egress'
        to: '192.168.1.0/24'
        fromPort: 123

Port ranges can be defined:

- my_sg_with_port_ranges:
    description: Allow ingress on 1234 through 1238 (inclusive) from 10.1.0.0/16. Allow egress on 123 through 128 (inclusive) to 192.168.1.0/24.
    ipRules:
      - from: '10.1.0.0/16'
        fromPort: 1234
        toPort:   1238
      - direction: 'egress'
        to: '192.168.1.0/24'
        fromPort: 123
        toPort:   126

Multiple ingress rules can be defined:

- my_sg_multiple_ingress:
    description: Allow ingress on 1234 from 10.1.0.0/16 and 10.2.0.0/16.
    ipRules:
      - from: '10.1.0.0/16'
        fromPort: 1234
      - from: '10.2.0.0/16'
        fromPort: 1234

Different protocols can be specified. The default is TCP:

- my_sg_with_protocols:
    description: Allow multiple protocols to communicate in on port 1234. Also, allow all ICMP.
    ipRules:
      - from: '10.1.0.0/16'
        ipProtocol: tcp
        fromPort: 1234
      - from: '10.1.0.0/16'
        ipProtocol: udp
        fromPort: 1234
      - from: '10.1.0.0/16'
        ipProtocol: icmp
        fromPort: -1

Turbot provides predefined CIDR ranges that are calculated based on the context where the rule is being used. The following cases are supported:

  • internet - Defined in AWS > VPC > Security Group Internet CIDR Ranges.
  • intranet - Defined in AWS > VPC > Security Group Intranet CIDR Ranges.
  • bastion - Defined in AWS > VPC > Security Group Bastion CIDR Ranges.
  • vpc - CIDR of the VPC where the security group is defined.
  • private - CIDRs of the private subnets of the VPC where the security group is defined.
  • dns - Defined in AWS > VPC > DHCP Options Domain Name Servers.
  • self - A reference to the security group itself, allowing pairing for traffic.

Here are examples of predefined ranges:

- my_sg_web_public:
    description: Allow ingress on web ports from the Public Internet. (It would be easier to use web_public from Turbot instead!)
    ipRules:
      - from: internet
        fromPort: 80
      - from: internet
        fromPort: 443

- my_sg_pair:
    description: Allow traffic on port 1234 between instances in my_sg_pair.
    ipRules:
      - from: self
        fromPort: 1234
      - direction: 'egress'
        to: self
        fromPort: 1234
Was this article helpful?
0 out of 0 found this helpful