Prevent default security groups from accessing registration DB

[jacobwinch]

What does this change?

There have been a few different networking approaches used to control access to the registration DB over the years:

1. Initially all services could access the registration DB by joining the VPC's default security group (i.e. the default security group that AWS provides).
2. More recently services were able to access the registration DB by joining a new security group (which was created by Guardian engineers in response to this issue). This allowed us to resolve a number of FSBP issues, but did not follow the principle of least privilege, as a number of services which didn't need DB access were also joining this group¹.
3. Today a service can access the registration DB (including via its proxy) if it joins a dedicated 'Postgres Access' security group (which was created in New security group for Postgres access to registration db #1636).

In #1636, #1705, #1707, #1708 and #1709 we updated all services which need DB access to start using the new approach (3). This means that we can now officially remove the AWS default security group (1) and the Guardian 'default' security group (2) from the ingress rules associated with the registration DB.

Once this PR is deployed (and the import here is removed), we should also be able to delete the Guardian 'default' security group (2) via https://github.com/guardian/mobile-platform/pull/727.

How has this change been tested / checked?

I've deployed this branch to CODE to check that the CFN change is valid.

I've also done some checking in the AWS console to confirm that this change will be safe. In the console we can see resources that are associated with a given security group. For the new 'Postgres Access' security groups (3), we can see the expected instances and Lambdas:

registrations-db-CODE-access

registrations-db-PROD-access

For the old security groups (1 and 2) we don't see any associated instances or Lambdas:

default (1):

Notifications VPC Main Security Group (CODE and PROD) (2):

How can we measure success?

This should improve our security posture but all functionality should keep working as before.

Have we considered potential risks?

There is a small risk that something is currently relying on one of the default security groups (1 or 2) in order to access the DB. I think the steps taken to check for usage via the console are sufficient to mitigate this risk.

Footnotes

1. At one stage this also provided other functionality, such as the ability to access parameter store via an interface endpoint. This functionality is now available to any instance running in the private subnet, so services such as notification or report no longer need to join a special security group for this. ↩

[github-actions]

Deploy build 5157 of mobile-n10n:slomonitor to CODE

All deployment options

• Deploy build 5157 of mobile-n10n:slomonitor to CODE
• Deploy parts of build 5157 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.

[github-actions]

Deploy build 4842 of mobile-n10n:fakebreakingnewslambda to CODE

All deployment options

• Deploy build 4842 of mobile-n10n:fakebreakingnewslambda to CODE
• Deploy parts of build 4842 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.

[github-actions]

Deploy build 4809 of mobile-n10n:football to CODE

All deployment options

• Deploy build 4809 of mobile-n10n:football to CODE
• Deploy parts of build 4809 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.

[github-actions]

Deploy build 5185 of mobile-n10n:registration to CODE

All deployment options

• Deploy build 5185 of mobile-n10n:registration to CODE
• Deploy parts of build 5185 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.

[github-actions]

Deploy build 4970 of mobile-n10n:notification to CODE

All deployment options

• Deploy build 4970 of mobile-n10n:notification to CODE
• Deploy parts of build 4970 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.

[github-actions]

Deploy build 5091 of mobile-n10n:report to CODE

All deployment options

• Deploy build 5091 of mobile-n10n:report to CODE
• Deploy parts of build 5091 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.

[github-actions]

Deploy build 5492 of mobile-n10n:notificationworkerlambda to CODE

All deployment options

• Deploy build 5492 of mobile-n10n:notificationworkerlambda to CODE
• Deploy parts of build 5492 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.

[jacobwinch]

Notifications VPC Main Security Group (CODE and PROD)

A quick update on this one. There are now 0 related resources; yesterday there were still 2 ENIs that referred to a CODE Lambda (even though there were no Lambdas listed under related resources), so I guess that AWS has now tidied these up(?) 🎉

[jacobwinch]

This has deployed successfully and the dashboard confirms that we're still delivering notifications as expected.