Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ecs-patterns] ApplicationLoadBalancedEc2Service missing option to control ingress of security group #9433

Closed
ddneilson opened this issue Aug 4, 2020 · 1 comment · Fixed by #9434
Closed

[ecs-patterns] ApplicationLoadBalancedEc2Service missing option to control ingress of security group #9433

ddneilson opened this issue Aug 4, 2020 · 1 comment · Fixed by #9434
Assignees
@uttarasridhar
Labels
@aws-cdk/aws-ecs-patterns Related to ecs-patterns library feature-request A feature should be added or improved. in-progress This issue is being actively worked on.

Comments

@ddneilson
Copy link
Contributor

The ApplicationLoadBalancedEc2Service is missing the ability to lock-down the ingress of the ALB listener that it creates. The listener is created, by default, to be fully open to ingress from all IP addresses. There is a design but in that it does not expose any option that allows the user to lock-down this security group to allow no-ingress except the ingress that is explicitly allowed.

Note: This was found during a security audit and has security implications. It is a high-priority fix.

Reproduction Steps

Create a ApplicationLoadBalancedEc2Service

What did you expect to happen?

The expectation was that it would be possible to control ingress to the ALB created by ApplicationLoadBalancedEc2Service via the security group of the listener.

What actually happened?

The security group of the listener is wide-open by default; it may as well not even have a security group.

Environment

  • CLI Version : 1.52.0
  • Framework Version: 1.52.0
  • Node.js Version: Any
  • OS : Any
  • Language (Version): all

Other

I have a PR ready to fix this, and will be submitting shortly.

This is 🐛 Bug Report
@ddneilson ddneilson added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 4, 2020
@ddneilson ddneilson changed the title [ecs-patterns] [ecs-patterns] ApplicationLoadBalancedEc2Service missing option to control ingress of security group Aug 4, 2020
@ddneilson ddneilson mentioned this issue Aug 4, 2020
Merged
@SomayaB SomayaB added @aws-cdk/aws-ecs-patterns Related to ecs-patterns library in-progress This issue is being actively worked on. labels Aug 5, 2020
@piradeepk piradeepk added feature-request A feature should be added or improved. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 5, 2020
@mergify mergify bot closed this as completed in #9434 Aug 5, 2020
mergify bot pushed a commit that referenced this issue Aug 5, 2020
@ddneilson
fix(ecs-patterns): Adds missing option to secure ingress of ALB in Ap… (
ba1427f 
#9434)

This adds the option:
```
  /**
   * Determines whether or not the Security Group for the Load Balancer's Listener will be open to all traffic by default.
   *
   * @default true -- The security group allows ingress from all IP addresses.
   */
  readonly openListener?: boolean;
```

to `ApplicationLoadBalancedServiceBase` so that it is possible to restrict ingress to the listener created by the pattern.

Fixes: #9433

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
eladb pushed a commit that referenced this issue Aug 10, 2020
@ddneilson
fix(ecs-patterns): Adds missing option to secure ingress of ALB in Ap… (
b62bd71 
#9434)

This adds the option:
```
  /**
   * Determines whether or not the Security Group for the Load Balancer's Listener will be open to all traffic by default.
   *
   * @default true -- The security group allows ingress from all IP addresses.
   */
  readonly openListener?: boolean;
```

to `ApplicationLoadBalancedServiceBase` so that it is possible to restrict ingress to the listener created by the pattern.

Fixes: #9433

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@flemjame-at-amazon
Copy link
Contributor

Also fixes #8342

@flemjame-at-amazon flemjame-at-amazon mentioned this issue Aug 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uttarasridhar uttarasridhar

Labels
@aws-cdk/aws-ecs-patterns Related to ecs-patterns library feature-request A feature should be added or improved. in-progress This issue is being actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ecs-patterns): Adds missing option to secure ingress of ALB in Ap… ddneilson/aws-cdk
5 participants
@uttarasridhar @SomayaB @piradeepk @ddneilson @flemjame-at-amazon