1

I would like to apply port 443 outbound rule to the 'Default' security group. It worked by creating a dedicated block OutboundRule (which is commented out). Instead of creating a new block, I want to apply the rule in the WebServerSecurityGroup resource itself by referencing the VPC.defaultsecuritygroup under second SecurityGroupEgress block. But, it is not working. Would you please suggest me how to make this work.

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS CloudFormation Sample Template VPC_with_PublicIPs_And_DNS: Sample
  template that creates a VPC with DNS and public IPs enabled. Note that you are billed
  for the AWS resources that you use when you create a stack from this template.'
Parameters:
  KeyPair:
    Description: Name of the keypair to use for SSH access
    Type: String
  Name:
    Description: Name of the keypair to use for SSH access
    Type: String
    Default: LinuxMachine  
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      CidrBlock: 10.0.0.0/16
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: VPC
      CidrBlock: 10.0.0.0/24
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId:
        Ref: VPC
      InternetGatewayId:
        Ref: InternetGateway
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId:
        Ref: VPC
  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      RouteTableId:
        Ref: PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId:
        Ref: InternetGateway
  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId:
        Ref: PublicSubnet
      RouteTableId:
        Ref: PublicRouteTable
  PublicSubnetNetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId:
        Ref: PublicSubnet
      NetworkAclId:
        Fn::GetAtt:
        - VPC
        - DefaultNetworkAcl
  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable HTTP ingress
      VpcId:
        Ref: VPC
  # Apply outbound rules to ec2 security group      
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '80'
        ToPort: '80'
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: '22'
        ToPort: '22'
        CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: '443'
        ToPort: '443'
        CidrIp: 127.0.0.0/0
# WIP - Default Security group        
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: '443'
        ToPort: '443'
        CidrIp: 0.0.0.0/0
        GroupId: !GetAtt VPC.DefaultSecurityGroup

# Apply outbound rules to 'Default' Security Group
  # OutboundRule:  
  #   Type: AWS::EC2::SecurityGroupEgress
  #   Properties:
  #       GroupId:
  #         Fn::GetAtt:
  #           - VPC
  #           - DefaultSecurityGroup
  #       IpProtocol: tcp
  #       FromPort: '443'
  #       ToPort: '443'
  #       CidrIp: 0.0.0.0/0 

  WebServerInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.micro
      ImageId: ami-09e67e426f25ce0d7
      Tags:
        - Key: Name
          Value: !Ref Name
      NetworkInterfaces:
      - GroupSet:
        - Ref: WebServerSecurityGroup
        AssociatePublicIpAddress: 'true'
        DeviceIndex: '0'
        DeleteOnTermination: 'true'
        SubnetId:
          Ref: PublicSubnet
      KeyName:
        Ref: KeyPair
Prime
  • 143
  • 1
  • 6

1 Answers1

0

You can't have both CidrIp and the GroupId in the Egress rule. One or the other. This works:

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      CidrBlock: 10.0.0.0/16
  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable HTTP ingress
      VpcId:
        Ref: VPC
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '80'
        ToPort: '80'
        CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: '443'
        ToPort: '443'
        DestinationSecurityGroupId: !GetAtt VPC.DefaultSecurityGroup

It creates the outbound rule to the default security groups as requested:

Security Group

However is this really what you want? Why would you want to enable access to a non-existent instance in the default SG? And it is indeed non-existent because we've just created the VPC...

Also opening SSH from 0.0.0.0/0 is not a good idea - use SSM instead and you won't have to open inbound SSH at all. And 127.0.0.0/0 should be /8 if anything but in fact it's not required, because localhost traffic is not controlled by security groups.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • Thank you for responding, It created the outbound rule to the security group, but I am actually planning to apply the 443 outbound rule to the security group called 'default'. https://ibb.co/PZzHvj5 – Prime May 11 '21 at 07:00
  • 1
    SSM and SSH both have their uses. I use SSM in highly secured setups (PCI etc) where SSH isn't available. For personal use I use SSH as it's easier to put a shortcut on my desktop :) – Tim May 11 '21 at 07:30