I want to mess with ALB's default security group from CDK

Overview

If you make ALB with Fargate with CDK, Security Group will be fully opened. If it is a development environment or an internal service, I would like to narrow down the IP in consideration of security, but with CDK it was easy to add but difficult to delete, so I will share that method

procedure

Full open SG creation

First, create the Security Group to be changed

alb_sg=ec2.SecurityGroup(self, "alb-sg",
    vpc=ivpc,
    description="alb sg"
)

Next, create an ALB that uses that Security Group.

ecs_alb=elasticloadbalancingv2.ApplicationLoadBalancer(self, "alb",
    security_group=alb_sg,
    vpc=ivpc,
    internet_facing=True,
    load_balancer_name="ecs-alb"
)

Then use ecs_patterns to create a FargateService

fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(self, "service",
    cluster=cluster,
    task_definition=task,
    load_balancer=ecs_alb,
    cloud_map_options = ecs.CloudMapOptions(
        name = 'hoge'
    )
)

When you execute it, you can see that a Security Group with 80 ports fully open is created as shown below. (Only the Security Group part is extracted)

$ cdk diff ecs
Stack ecs
Security Group Changes
┌───┬───────────────────────────────────────────────────────┬─────┬──────────┬────────────────────────────────┐
│   │ Group                                                 │ Dir │ Protocol │ Peer                           │
├───┼───────────────────────────────────────────────────────┼─────┼──────────┼────────────────────────────────┤
│ + │ ${prod-alb-sg.GroupId}                        │ In  │ TCP 80   │ Everyone (IPv4)                │
└───┴───────────────────────────────────────────────────────┴─────┴──────────┴────────────────────────────────┘
Resources
[~] AWS::EC2::SecurityGroup prod-alb-sg prodmonitoralbsg0D94D960 
 └─ [+] SecurityGroupIngress
     └─ [{"CidrIp":"0.0.0.0/0","Description":"Allow from anyone on port 80","FromPort":80,"IpProtocol":"tcp","ToPort":80}]

Overwrite SG

It can be overwritten with node.default_child.add_override, so specify the key and overwrite The following two are specified, and since only one rule that is fully open is added, the 0th is specified.

alb_sg.node.default_child.add_override(
    "Properties.SecurityGroupIngress.0.CidrIp",
    "1.1.1.1/32"
)
alb_sg.node.default_child.add_override(
    "Properties.SecurityGroupIngress.0.Description",
    "Google"
)

When run, the default TCP80 allow Everyone disappears and changes to the specified IP

$ SYSTEM_ENV=prod cdk diff ecs
Stack ecs
Security Group Changes
┌───┬────────────────────────────────┬─────┬──────────┬─────────────────┐
│   │ Group                          │ Dir │ Protocol │ Peer            │
├───┼────────────────────────────────┼─────┼──────────┼─────────────────┤
│ - │ ${prod-alb-sg.GroupId} │ In  │ TCP 80   │ Everyone (IPv4) │
├───┼────────────────────────────────┼─────┼──────────┼─────────────────┤
│ + │ ${prod-alb-sg.GroupId} │ In  │ TCP 80   │ 1.1.1.1/32 │
└───┴────────────────────────────────┴─────┴──────────┴─────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[~] AWS::EC2::SecurityGroup prod-alb-sg prodmonitoralbsg0D94D960 
 └─ [~] SecurityGroupIngress
     └─ @@ -1,7 +1,7 @@
        [ ] [
        [ ]   {
        [-]     "CidrIp": "0.0.0.0/0",
        [-]     "Description": "Allow from anyone on port 80",
        [+]     "CidrIp": "1.1.1.1/32",
        [+]     "Description": "Google",
        [ ]     "FromPort": 80,
        [ ]     "IpProtocol": "tcp",
        [ ]     "ToPort": 80

That's how to play with ALB default SG from CDK

reference

Recommended Posts

I want to mess with ALB's default security group from CDK
I want to install a package from requirements.txt with poetry
I want to do ○○ with Pandas
I want to debug with Python
I want to detect objects with OpenCV
I want to blog with Jupyter Notebook
I want to use jar from python
I want to pip install with PythonAnywhere
I want to analyze logs with Python
I want to connect to PostgreSQL from various languages
I want to analyze songs with Spotify API 2
[Python] I want to manage 7DaysToDie from Discord! 1/3
I want to perform SageMaker inference from PHP
I want to mock datetime.datetime.now () even with pytest!
I want to knock 100 data sciences with Colaboratory
I want to make a game with Python
I want to be an OREMO with setParam!
I want to analyze songs with Spotify API 1
I want to make fits from my head
I want to use Temporary Directory with Python2
I want to use ceres solver from python
I don't want to use -inf with np.log
#Unresolved I want to compile gobject-introspection with Python3
I want to use ip vrf with SONiC
I want to solve APG4b with Python (Chapter 2)
I want to start over with Django's Migrate
[Python] I want to manage 7DaysToDie from Discord! 2/3
I want to make C ++ code from Python code!
I want to write to a file with Python
I want to convert an image to WebP with lollipop
I want to see the file name from DataLoader
I want to detect images of cats from Instagram
I want to detect unauthorized login to facebook with Jubatus (1)
I want to transition with a button in flask
I want to climb a mountain with reinforcement learning
I want to tell people who want to import from a higher directory with Python direnv
I want to inherit to the back with python dataclass
I want to work with a robot in python.
I want to split a character string with hiragana
[Python3] I want to generate harassment names from Japanese!
I want to AWS Lambda with Python on Mac!
I want to manually create a legend with matplotlib
[ML Ops] I want to do multi-project with Python
I want to run a quantum computer with Python
I want to bind a local variable with lambda
I want to increase the security of ssh connections
I want to be able to analyze data with Python (Part 3)
I want to specify another version of Python with pyvenv
I want to be able to analyze data with Python (Part 1)
I want to make a blog editor with django admin
I want to start a jupyter environment with one command
I want to start a lot of processes from python
[NetworkX] I want to search for nodes with specific attributes
I want to make a click macro with pyautogui (desire)
I want to be able to analyze data with Python (Part 4)
I want to calculate the allowable downtime from the operating rate
I want to color black-and-white photos of memories with GAN
I want to be able to analyze data with Python (Part 2)
I want to make a click macro with pyautogui (outlook)
[Python] I want to use the -h option with argparse
I want to use a virtual environment with jupyter notebook!