[expired-registration-cleaner] Use dedicated security group for accessing Postgres#1708
Merged
jacobwinch merged 1 commit intomainfrom Mar 4, 2026
Merged
[expired-registration-cleaner] Use dedicated security group for accessing Postgres#1708jacobwinch merged 1 commit intomainfrom
jacobwinch merged 1 commit intomainfrom
Conversation
jacobwinch
added
the
maintenance
Contributor
jacobwinch
force-pushed
the
jw-expired-reg-cleaner-sg
branch
from
eae25b0 to
6d95de2
Compare
Contributor
akash1810
approved these changes
Feb 27, 2026
aracho1
approved these changes
Mar 4, 2026
jacobwinch
force-pushed
the
jw-expired-reg-cleaner-sg
branch
from
6d95de2 to
fafb85e
Compare
Contributor
Contributor
Contributor
Contributor
Contributor
Contributor
Author
This was deployed successfully yesterday morning and it seems to have run correctly late last night. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this change?
The Notifications VPC has a “default group”. Prior to this PR,
expired-registration-cleanerused this group to gain access to the RDS database (via the RDS proxy). This approach to networking does not follow the principle of least privilege, as any network interface in the VPC can implicitly reach theCODEandPRODdatabases.In #1636 a new security group was created, with the intention of services joining it only if they need database access. This will ultimately allow us to remove the “default group”, thus improving our security posture by moving towards the principle of least privilege.
This PR updates
expired-registration-cleanerto use the new security group / approach1.How has this change been tested?
This Lambda runs once a day at 23:04:00 UTC:
mobile-n10n/notificationworkerlambda/expired-registration-cleaner-cfn.yaml
Lines 112 to 119 in 6d95de2
It looks for old tokens and deletes them from the DB:
mobile-n10n/notificationworkerlambda/src/main/scala/com/gu/notifications/worker/ExpiredRegistrationCleaner.scala
Lines 21 to 26 in 6d95de2
I have deployed to
CODEand invoked the Lambda manually.Unfortunately I don't think there is any test data for the Lambda to delete, although the logs look the same as those from last night, which suggests that it could run the query as normal.
How can we measure success?
This is a step towards removing the "default group", which improves our security posture and allows us to standardise on a single approach following the changes made in #1636.
Have we considered potential risks?
I don't think there are any significant risks in this case. As mentioned above, I wasn't able to test token deletion due to the state of the
CODEDB, so I will also double check the logs for this one inPRODafter merging.Footnotes
Note that all of the above applies regardless of whether the application connects to the RDS instance directly or whether it goes via the RDS proxy, because the RDS instance and the RDS proxy share the same security group (created here). ↩