chore: Limit ingress traffic and delete unnecessary permissions (#61)

hayk99 · web-flow · commit 039b4b68edde · 2022-02-17T17:27:56.000+01:00
* chore: limit ingress traffic and delete unnecessary permissions

* chore: add egress rules
diff --git a/templates/CloudConnector.yaml b/templates/CloudConnector.yaml
@@ -149,16 +149,6 @@ Resources:
                   - "ecs:DescribeTaskDefinition"
                 Resource:
                   - "*"
-        - PolicyName: SecretsReader
-          PolicyDocument:
-            Version: "2012-10-17"
-            Statement:
-              - Effect: Allow
-                Action:
-                  - "kms:Decrypt"
-                  - "secretsmanager:GetSecretValue"
-                Resource:
-                  - "*"
         - PolicyName: ECRReader
           PolicyDocument:
             Version: "2012-10-17"
@@ -326,19 +316,22 @@ Resources:
       VpcId: !Ref VPC
       GroupName: !Sub "${AWS::StackName}-CloudConnector"
       GroupDescription: CloudConnector workload Security Group
-      SecurityGroupIngress:
-        - CidrIp: 0.0.0.0/0
-          IpProtocol: "tcp"
-          FromPort: 80
-          ToPort: 80
+      SecurityGroupEgress:
+        # Allow outbound HTTPS traffic over TCP
+        # Used by Cloud Connector to send events to https://secure.sysdig.com
         - CidrIp: 0.0.0.0/0
           IpProtocol: "tcp"
           FromPort: 443
           ToPort: 443
+        # Allow outbound DNS traffic over UDP and TCP
         - CidrIp: 0.0.0.0/0
           IpProtocol: "tcp"
-          FromPort: 5000
-          ToPort: 5000
+          FromPort: 53
+          ToPort: 53
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: "udp"
+          FromPort: 53
+          ToPort: 53
       Tags:
         - Key: Name
           Value: !Sub "${AWS::StackName}-CloudConnector"
