qoomon/base-vpc.ts

## base-vpc.ts
import {Stack} from "aws-cdk-lib";
import {Vpc, VpcProps} from "aws-cdk-lib/aws-ec2";
import {AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId} from "aws-cdk-lib/custom-resources";
import {Construct} from "constructs";

export class BaseVpc extends Vpc {
    constructor(scope: Construct, id: string, props: VpcProps) {
        super(scope, id, props);
        // Configure default security group according to "CIS AWS Foundations Benchmark controls",
        // section "4.3 – Ensure the default security group of every VPC restricts all traffic".
        // See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.3
        const stack = Stack.of(this);
        const vpcDefaultSecurityGroupArn = stack.formatArn({
            service: 'ec2',
            resource: 'security-group',
            resourceName: this.vpcDefaultSecurityGroup,
        });

        const customResourceServiceRolePolicy = AwsCustomResourcePolicy.fromSdkCalls({resources: [vpcDefaultSecurityGroupArn]})
        const customResourcePhysicalResourceId = PhysicalResourceId.of(`${this.vpcId}/${this.vpcDefaultSecurityGroup}`)

        new AwsCustomResource(this, "RevokeDefaultSecurityGroupIngressRulesAction", {
            resourceType: "Custom::RevokeDefaultSecurityGroupIngressRules",
            onCreate: {
                service: "EC2",
                action: "revokeSecurityGroupIngress",
                // ignoreErrorCodesMatching: 'InvalidPermission\\.NotFound',
                parameters: {
                    GroupId: this.vpcDefaultSecurityGroup,
                    IpPermissions: [{
                        IpProtocol: '-1', // all protocols
                        UserIdGroupPairs: [{GroupId: this.vpcDefaultSecurityGroup}],
                    }],
                },
                physicalResourceId: customResourcePhysicalResourceId,
            },
            policy: customResourceServiceRolePolicy,
        });

        new AwsCustomResource(this, "RevokeDefaultSecurityGroupEgressRulesAction", {
            resourceType: "Custom::RevokeDefaultSecurityGroupEgressRules",
            onCreate: {
                service: "EC2",
                action: "revokeSecurityGroupEgress",
                // ignoreErrorCodesMatching: 'InvalidPermission\\.NotFound',
                parameters: {
                    GroupId: this.vpcDefaultSecurityGroup,
                    IpPermissions: [{
                        IpProtocol: '-1', // all protocols
                        IpRanges: [{CidrIp: "0.0.0.0/0"}],
                    }],
                },
                physicalResourceId: customResourcePhysicalResourceId,
            },
            policy: customResourceServiceRolePolicy,
        });
    }
}
	import {Stack} from "aws-cdk-lib";
	import {Vpc, VpcProps} from "aws-cdk-lib/aws-ec2";
	import {AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId} from "aws-cdk-lib/custom-resources";
	import {Construct} from "constructs";

	export class BaseVpc extends Vpc {
	constructor(scope: Construct, id: string, props: VpcProps) {
	super(scope, id, props);
	// Configure default security group according to "CIS AWS Foundations Benchmark controls",
	// section "4.3 – Ensure the default security group of every VPC restricts all traffic".
	// See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.3
	const stack = Stack.of(this);
	const vpcDefaultSecurityGroupArn = stack.formatArn({
	service: 'ec2',
	resource: 'security-group',
	resourceName: this.vpcDefaultSecurityGroup,
	});

	const customResourceServiceRolePolicy = AwsCustomResourcePolicy.fromSdkCalls({resources: [vpcDefaultSecurityGroupArn]})
	const customResourcePhysicalResourceId = PhysicalResourceId.of(`${this.vpcId}/${this.vpcDefaultSecurityGroup}`)

	new AwsCustomResource(this, "RevokeDefaultSecurityGroupIngressRulesAction", {
	resourceType: "Custom::RevokeDefaultSecurityGroupIngressRules",
	onCreate: {
	service: "EC2",
	action: "revokeSecurityGroupIngress",
	// ignoreErrorCodesMatching: 'InvalidPermission\\.NotFound',
	parameters: {
	GroupId: this.vpcDefaultSecurityGroup,
	IpPermissions: [{
	IpProtocol: '-1', // all protocols
	UserIdGroupPairs: [{GroupId: this.vpcDefaultSecurityGroup}],
	}],
	},
	physicalResourceId: customResourcePhysicalResourceId,
	},
	policy: customResourceServiceRolePolicy,
	});

	new AwsCustomResource(this, "RevokeDefaultSecurityGroupEgressRulesAction", {
	resourceType: "Custom::RevokeDefaultSecurityGroupEgressRules",
	onCreate: {
	service: "EC2",
	action: "revokeSecurityGroupEgress",
	// ignoreErrorCodesMatching: 'InvalidPermission\\.NotFound',
	parameters: {
	GroupId: this.vpcDefaultSecurityGroup,
	IpPermissions: [{
	IpProtocol: '-1', // all protocols
	IpRanges: [{CidrIp: "0.0.0.0/0"}],
	}],
	},
	physicalResourceId: customResourcePhysicalResourceId,
	},
	policy: customResourceServiceRolePolicy,
	});
	}
	}