Skip to content

Instantly share code, notes, and snippets.

@qoomon
Created September 30, 2022 14:32
Show Gist options
  • Save qoomon/cbc97be603d7c133794aea45466ada6a to your computer and use it in GitHub Desktop.
Save qoomon/cbc97be603d7c133794aea45466ada6a to your computer and use it in GitHub Desktop.
AWS CDK - Vpn Construct - Configure default security group according to "CIS AWS Foundations Benchmark controls",
import {Stack} from "aws-cdk-lib";
import {Vpc, VpcProps} from "aws-cdk-lib/aws-ec2";
import {AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId} from "aws-cdk-lib/custom-resources";
import {Construct} from "constructs";
export class BaseVpc extends Vpc {
constructor(scope: Construct, id: string, props: VpcProps) {
super(scope, id, props);
// Configure default security group according to "CIS AWS Foundations Benchmark controls",
// section "4.3 – Ensure the default security group of every VPC restricts all traffic".
// See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.3
const stack = Stack.of(this);
const vpcDefaultSecurityGroupArn = stack.formatArn({
service: 'ec2',
resource: 'security-group',
resourceName: this.vpcDefaultSecurityGroup,
});
const customResourceServiceRolePolicy = AwsCustomResourcePolicy.fromSdkCalls({resources: [vpcDefaultSecurityGroupArn]})
const customResourcePhysicalResourceId = PhysicalResourceId.of(`${this.vpcId}/${this.vpcDefaultSecurityGroup}`)
new AwsCustomResource(this, "RevokeDefaultSecurityGroupIngressRulesAction", {
resourceType: "Custom::RevokeDefaultSecurityGroupIngressRules",
onCreate: {
service: "EC2",
action: "revokeSecurityGroupIngress",
// ignoreErrorCodesMatching: 'InvalidPermission\\.NotFound',
parameters: {
GroupId: this.vpcDefaultSecurityGroup,
IpPermissions: [{
IpProtocol: '-1', // all protocols
UserIdGroupPairs: [{GroupId: this.vpcDefaultSecurityGroup}],
}],
},
physicalResourceId: customResourcePhysicalResourceId,
},
policy: customResourceServiceRolePolicy,
});
new AwsCustomResource(this, "RevokeDefaultSecurityGroupEgressRulesAction", {
resourceType: "Custom::RevokeDefaultSecurityGroupEgressRules",
onCreate: {
service: "EC2",
action: "revokeSecurityGroupEgress",
// ignoreErrorCodesMatching: 'InvalidPermission\\.NotFound',
parameters: {
GroupId: this.vpcDefaultSecurityGroup,
IpPermissions: [{
IpProtocol: '-1', // all protocols
IpRanges: [{CidrIp: "0.0.0.0/0"}],
}],
},
physicalResourceId: customResourcePhysicalResourceId,
},
policy: customResourceServiceRolePolicy,
});
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment