copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Allow customizing the `EnvironmentSecurityGroup` with the environment manifest

Open efekarakus opened this issue 3 years ago • 2 comments

Ask

For compliance users, customers might require customizing the ingress and egress of the EnvironmentSecurityGroup: https://github.com/aws/copilot-cli/blob/a28a4682b4bf53e616c7840077c30e6224170498/internal/pkg/template/templates/environment/cf.yml#L138 For example, folks might want to remove the default egress rule that gets generated by CloudFormation.

Sample manifest

name: test
type: 'Environment'
security_group:
  ingress:
  - <config>
  egress:
  - <config>

efekarakus avatar Jul 05 '22 23:07 efekarakus

This would be useful - in particular, to mitigate against supply chain attacks having services running in a public zone, accessible via an ALB but unable to initiate egress (e.g. initiate an outbound TCP connection or send UDP packets).

craigjbass avatar Aug 08 '22 10:08 craigjbass

Hello @craigjbass, You are right, we can very well stop the outbound connections by setting following rule in your environment manifest.

network:
  vpc:
    security_group:
      egress:
        - ip_protocol: -1
          ports: 0-65536
          cidr: 127.0.0.1/32

Cloudformation suggests setting above mentioned egress rule in order to remove the default egress applied by the cfn and restrict traffic to just the localhost (127.0.0.1/32).

This feature will go out in the next copilot release.

paragbhingre avatar Aug 08 '22 17:08 paragbhingre

This feature is now released in v1.21.0! https://github.com/aws/copilot-cli/releases/tag/v1.21.0 🎉

dannyrandall avatar Aug 17 '22 16:08 dannyrandall