Versions Compared

Old Version 1

changes.mady.by.user Xavier Schildwachter

Saved on

compared with

New Version Current

changes.mady.by.user Xavier Schildwachter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Issue

We enabled SecurityHub on AWS accounts, one the findings is that the default VPC security group is too permissive.

...

account

vpc

cidr

rules

comment

synapsedev

sagevpc

10.11.0.0/16

ingress: all traffic from sg
egress: all traffic

docker registry runs with test-docker-registry-sg (in 5000/443/22/8080/all, out all/all) and vpc-VpnSecurityGroup-1USYMWX91V47W (10.1/10.50)

synapsedev

synapse-dev-vpc

10.24.0.0/16

ingress: all traffic from sg
egress: all traffic

build-system* run with synapse-dev-vpc-2-VpnSecurityGroup-1SXIOCN3K0C9S (10.50.0.0)

build-system-syanpse-2-agent* run with synapse-dev-vpc-2-VpnSecurityGroup-1SXIOCN3K0C9S and build-system-synapse-2-access-sg (access from master nodde)

dev instances run in synapse-dev-vpc with own sg

rds warehouse (in 3306 from 207.109.76.122/32, 67.160.76.137, workers; out all) ==> still used?

synapsedev

na (vpc-2ae*)

172.30.0.0/16

ingress: 8787/443/8443/22 from anywhere
egress: all traffic

synapsedev

fargate

10.0.0.0/16

ingress: all traffic from sg
egress: all traffic

Test

synapsedev

na (vpc-0390*)

172.30.0.0/16

ingress: all traffic from sg
egress: all traffic

synapsedw

synapsedw-vpc

10.12.0.0/16

ingress: 3306 from 10.12.0.0/16 and 10.50.0.0/16

egress: all traffic

build-syanpse-dw runs in synapsedw-vpc with vpc-VpnSecurityGroup-1RPPAGWIIS4WM

redash runs in synapsedw-vpc with vpc-VpnSecurityGroup-1RPPAGWIIS4WM and sagebase-tgw-spoke-a-SecurityGroup-XDDFWGFLMUCV (???)

instances run in synapsedw-vpc with vpc-VpnSecurityGroup-1RPPAGWIIS4WM and awseb-e-8mm44ycdwj-stack-AWSEBSecurityGroup-T7YRYS56EVI1 (allow 22 from anywhere?)

RDS instances run in synapsedw-vpc with vpc-VpnSecurityGroup-1RPPAGWIIS4WM and dwapp2019-DBSecurityGroup-MIQXQT1OH0G

synapsedw

na (vpc-b17*)

172.31.0.0/16

ingress: 5439 from sg, hutch, all; 22 from hutch
egress: all traffic

This was used for Redshift

synapsedw

na (vpc-19ea*)

172.30.0.0/16

ingress: 3306 from anywhere
egress: all traffic

synapsedw

na (vpc-d5f9*)

172.30.0.0/16

ingress: all traffic from sg
egress: all traffic

synapseprod

sage-default-vpc

10.11.0.0/16

ingress: all traffic from sg
egress: all traffic

synapseprod

synapse-ops-vpc2

10.30.0.0/16

ingress: all traffic from sg
egress: all traffic

build-system-ops runs in with synapse-ops-vpc-v2-VpnSecurityGroup-V299R6HJ8YM

docker instances run in with synapse-ops-vpc-v2-VpnSecurityGroup-V299R6HJ8YM) and docker-reg-inst-sg

synapseprod

synapse-prod-vpc

10.20.0.0/16

ingress: all traffic from sg
egress: all traffic

all stack instances run in own security groups

rds run in their own stack sg

...