[NDR-19] EC2 Default Security Group Hardening (#282)

NogaNHS · web-flow · commit e08e123e96ed · 2025-04-28T13:06:40.000+01:00
* [NDR-19] default vpc and sg
* [NDR-19] add change to default sg in module
diff --git a/bootstrap/README.md b/bootstrap/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.70.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
 
 ## Modules
 
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -224,6 +224,8 @@
 | [aws_cloudwatch_metric_alarm.stitching_dlq_new_messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cognito_identity_pool.cloudwatch_rum](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool) | resource |
 | [aws_cognito_identity_pool_roles_attachment.cloudwatch_rum](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool_roles_attachment) | resource |
+| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
+| [aws_default_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
 | [aws_iam_policy.cloudwatch_log_query_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cloudwatch_rum_cognito_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.copy_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
diff --git a/infrastructure/modules/vpc/README.md b/infrastructure/modules/vpc/README.md
@@ -16,6 +16,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
 | [aws_eip.eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
 | [aws_internet_gateway.ig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
 | [aws_nat_gateway.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
diff --git a/infrastructure/modules/vpc/main.tf b/infrastructure/modules/vpc/main.tf
@@ -18,6 +18,12 @@ resource "aws_vpc" "vpc" {
   }
 }
 
+resource "aws_default_security_group" "default" {
+  vpc_id  = local.is_production ? aws_vpc.vpc[0].id : data.aws_vpc.vpc[0].id
+  ingress = []
+  egress  = []
+}
+
 data "aws_internet_gateway" "ig" {
   count = local.is_production ? 0 : 1
   tags = {
diff --git a/infrastructure/vpc.tf b/infrastructure/vpc.tf
@@ -20,3 +20,15 @@ module "ndr-vpc-ui" {
   environment = var.environment
   owner       = var.owner
 }
+
+resource "aws_default_vpc" "default" {
+  tags = {
+    Name = "Default VPC"
+  }
+}
+
+resource "aws_default_security_group" "default" {
+  vpc_id  = aws_default_vpc.default.id
+  ingress = []
+  egress  = []
+}

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,12 @@ resource "aws_vpc" "vpc" {`
`18`	`18`	`}`
`19`	`19`	`}`
`20`	`20`
	`21`	`+resource "aws_default_security_group" "default" {`
	`22`	`+ vpc_id = local.is_production ? aws_vpc.vpc[0].id : data.aws_vpc.vpc[0].id`
	`23`	`+ ingress = []`
	`24`	`+ egress = []`
	`25`	`+}`
	`26`	`+`
`21`	`27`	`data "aws_internet_gateway" "ig" {`
`22`	`28`	`count = local.is_production ? 0 : 1`
`23`	`29`	`tags = {`