eli-383 switching to trying to restrict egress via security groups rather than nacls

Author: eddalmond1

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -344,6 +344,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "ec2:ReplaceNetworkAclAssociation",
           "ec2:DeleteSecurityGroup",
           "ec2:DeleteNetworkAcl",
+          "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
 
           # ssm
           "ssm:GetParameter",

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -64,6 +64,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ec2:CreateFlowLogs",
       "ec2:ReplaceNetworkAclAssociation",
       "ec2:DeleteSecurityGroup",
+      "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
 
       # EventBridge - alarm forwarding to Splunk
       "events:PutRule",

infrastructure/stacks/networking/locals.tf

@@ -1,4 +1,5 @@
 locals {
+  any_ip_cidr           = "0.0.0.0/0"
   vpc_cidr_block        = "10.0.0.0/16"
   private_subnet_1_cidr = "10.0.6.0/24"
   private_subnet_2_cidr = "10.0.7.0/24"
@@ -13,15 +14,15 @@ locals {
 
   # VPC Interface Endpoints
   vpc_interface_endpoints = {
-    kms              = "com.amazonaws.${local.region}.kms"
-    cloudwatch-logs  = "com.amazonaws.${local.region}.logs"
-    ssm              = "com.amazonaws.${local.region}.ssm"
-    secrets-manager  = "com.amazonaws.${local.region}.secretsmanager"
-    lambda           = "com.amazonaws.${local.region}.lambda"
-    sts              = "com.amazonaws.${local.region}.sts"
-    sqs              = "com.amazonaws.${local.region}.sqs"
-    kinesis-firehose = "com.amazonaws.${local.region}.kinesis-firehose"
-    xray             = "com.amazonaws.${local.region}.xray"
+    kms               = "com.amazonaws.${local.region}.kms"
+    cloudwatch-logs   = "com.amazonaws.${local.region}.logs"
+    ssm               = "com.amazonaws.${local.region}.ssm"
+    secrets-manager   = "com.amazonaws.${local.region}.secretsmanager"
+    lambda            = "com.amazonaws.${local.region}.lambda"
+    sts               = "com.amazonaws.${local.region}.sts"
+    sqs               = "com.amazonaws.${local.region}.sqs"
+    kinesis-firehose  = "com.amazonaws.${local.region}.kinesis-firehose"
+    xray              = "com.amazonaws.${local.region}.xray"
 
   }
 

infrastructure/stacks/networking/network_acls.tf

@@ -7,38 +7,16 @@ resource "aws_network_acl" "private" {
     aws_subnet.private_3.id
   ]
 
-  # Allow outbound traffic from private subnets to VPC CIDR only
+  # Allow all outbound traffic from private subnets
   egress {
     rule_no    = 100
     action     = "allow"
-    cidr_block = local.vpc_cidr_block
+    cidr_block = "0.0.0.0/0"
     protocol   = -1
     from_port  = 0
     to_port    = 0
   }
 
-  # Allow HTTPS egress for Gateway endpoints (S3 and DynamoDB)
-  # Gateway endpoints use AWS prefix lists which can't be specified in NACLs
-  # This allows HTTPS to any destination, but security groups still control actual access
-  egress {
-    rule_no    = 110
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 443
-    to_port    = 443
-  }
-
-  # Allow ephemeral port responses for Gateway endpoint traffic
-  egress {
-    rule_no    = 120
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 1024
-    to_port    = 65535
-  }
-
   # Allow inbound traffic from within the VPC
   ingress {
     rule_no    = 100
@@ -49,31 +27,21 @@ resource "aws_network_acl" "private" {
     to_port    = 0
   }
 
-  # Allow HTTPS responses from Gateway endpoints
-  ingress {
-    rule_no    = 110
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 443
-    to_port    = 443
-  }
-
   # Block RDP access
   ingress {
-    rule_no    = 150
-    action     = "deny"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 3389
-    to_port    = 3389
+  rule_no    = 150
+  action     = "deny"
+  cidr_block = "0.0.0.0/0"
+  protocol   = "tcp"
+  from_port  = 3389
+  to_port    = 3389
   }
 
-  # Allow responses to outbound requests (ephemeral ports) from VPC endpoints
+  # Allow responses to outbound requests (ephemeral ports)
   ingress {
     rule_no    = 200
     action     = "allow"
-    cidr_block = local.vpc_cidr_block
+    cidr_block = "0.0.0.0/0"
     protocol   = "tcp"
     from_port  = 1024
     to_port    = 65535

infrastructure/stacks/networking/vpc_endpoints.tf

@@ -20,12 +20,34 @@ resource "aws_security_group_rule" "main_https_in" {
 }
 
 resource "aws_security_group_rule" "main_https_out" {
-  description       = "Allow VPC resources to access VPC endpoints and AWS services"
+  description       = "Allow HTTPS access to Interface VPC Endpoints within VPC"
   type              = "egress"
   from_port         = local.default_port
   to_port           = local.default_port
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = [local.vpc_cidr_block]
+  security_group_id = aws_security_group.main.id
+}
+
+# Allow egress to S3 via Gateway endpoint prefix list
+resource "aws_security_group_rule" "main_s3_prefix_out" {
+  description       = "Allow HTTPS access to S3 via Gateway endpoint"
+  type              = "egress"
+  from_port         = local.default_port
+  to_port           = local.default_port
+  protocol          = "tcp"
+  prefix_list_ids   = [aws_vpc_endpoint.gateways["s3"].prefix_list_id]
+  security_group_id = aws_security_group.main.id
+}
+
+# Allow egress to DynamoDB via Gateway endpoint prefix list
+resource "aws_security_group_rule" "main_dynamodb_prefix_out" {
+  description       = "Allow HTTPS access to DynamoDB via Gateway endpoint"
+  type              = "egress"
+  from_port         = local.default_port
+  to_port           = local.default_port
+  protocol          = "tcp"
+  prefix_list_ids   = [aws_vpc_endpoint.gateways["dynamodb"].prefix_list_id]
   security_group_id = aws_security_group.main.id
 }