Skip to content

fix: scope VPC security groups to minimum required ports (#960)#1013

Open
euniceamoni wants to merge 1 commit into
solutions-plug:mainfrom
euniceamoni:fix/security-group-least-privilege
Open

fix: scope VPC security groups to minimum required ports (#960)#1013
euniceamoni wants to merge 1 commit into
solutions-plug:mainfrom
euniceamoni:fix/security-group-least-privilege

Conversation

@euniceamoni

@euniceamoni euniceamoni commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Closes #960

Summary

Audits and hardens all VPC security group ingress/egress rules to follow least-privilege per issue #960.

Changes

Architecture change: ecs_tasks SG moved to root main.tf to resolve circular module dependency (ECS↔RDS/Redis). Egress rules added via aws_security_group_rule resources.

Security Group Before After
alb egress All ports, 0.0.0.0/0 Port api_container_portecs_tasks SG only
ecs_tasks egress All ports, 0.0.0.0/0 5432→RDS SG, 6379→Redis SG, 443→0.0.0.0/0
rds ingress 5432 from 10.0.0.0/8 5432 from ecs_tasks SG only
rds egress All ports, 0.0.0.0/0 Removed
redis ingress 6379 from 10.0.0.0/8 6379 from ecs_tasks SG only
redis egress All ports, 0.0.0.0/0 Removed

CI: Added security-scan job (Checkov) that runs before terraform plan and fails on HIGH/CRITICAL findings.

Acceptance Criteria

  • All security group ingress rules audited and documented via inline comments
  • No 0.0.0.0/0 ingress rules except ports 80/443 on the public ALB
  • Port-range rules replaced with specific port numbers per service
  • Checkov policy check added to CI, fails on overly permissive rules

Testing

  • terraform validate passes locally
  • Checkov scan passes with updated rules (no HIGH/CRITICAL findings on the SG changes)

@euniceamoni
fix: scope VPC security groups to minimum required ports (solutions-p…
9e2863e 
…lug#960)

- Move ecs_tasks SG to root module to avoid circular dependencies
- ALB SG: restrict egress to container port → ecs_tasks SG only
- ecs_tasks SG: egress limited to 5432 (RDS), 6379 (Redis), 443 (AWS APIs)
- RDS SG: replace 10.0.0.0/8 ingress with ecs_tasks SG reference, remove broad egress
- Redis SG: replace 10.0.0.0/8 ingress with ecs_tasks SG reference, remove broad egress
- Add Checkov CI scan job that fails on HIGH/CRITICAL findings before terraform plan
@drips-wave

drips-wave Bot commented Jun 27, 2026

Copy link
Copy Markdown

@euniceamoni Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

VPC security groups not scoped to minimum required ports — needs audit

1 participant

@euniceamoni