Restrict only Specific Ports in Specific Security Groups using Cloud Custodian

Question

There was already a similar question created for this. I read few of the answers but I was not able to solve the issue.I had to create a separate post for this since I didn't have enough reputation points to reply to a user in that post. The link is:- here . I want to restrict all of the ports exposed to public apart from a few security groups. For example for one of the security groups I don't want port 80 exposed to public but for a security group say "sg-123456789" I want port 80 to be open to public. How do I write a cloudcustodian policy ?

  - name: sg-123456789
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::9797979797:role/cloudcustodianrole
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
        -and:
            - type: value
              key: GroudId
              value: "sg-123456789"
              op: in
        -or:
            - type: ingress
              OnlyPorts: [80]
              Cidr:
                 value: "0.0.0.0/0"
                 op: in
            - type: ingress
              OnlyPorts: [80]
              CidrV6:
                 value:  "::/0"
                 op: in
    actions:
        - type: remove-permissions
          ingress: matched

  - name: sg-987654321
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::9797979797:role/cloudcustodianrole
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
        -and:
            - type: value
              key: GroudId
              value: "sg-987654321"
              op: in
        -or:
            - type: ingress
              OnlyPorts: [3000]
              Cidr:
                 value: "0.0.0.0/0"
                 op: in
            - type: ingress
              OnlyPorts: [3000]
              CidrV6:
                 value:  "::/0"
                 op: in
    actions:
        - type: remove-permissions
          ingress: matched

Chenna · Accepted Answer · 2019-12-18T19:22:53.077

Share the screenshot of the error you're getting and You have to use separate policies for ipv4 and ipv6 for remediation mode

    resource: security-group
    filters:
      - and:
        - type: value
          key: GroupId
          op: in
          value:
            - sg-0db5e1ab7ccccc
        - or:
         - type: ingress
           OnlyPorts: [80,443]
           Cidr:
              value: "0.0.0.0/0" 
         - type: ingress
           OnlyPorts: [80,443]
           CidrV6:
              value: "::/0"

Faizaan · Answer 2 · 2019-12-18T11:12:40.620

I'm also currently working on cloudcustodian. I tried creating a below policy but that is also not working as expected.

    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::1234567890:role/cloudcustodianrole
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
            - type: value
              key: GroudId
              value: "sg-0987654321"
              op: in
            - type: ingress
              OnlyPorts: [80, 443, 3000]
              Cidr:
                value: "0.0.0.0/0"
    actions:
        - type: remove-permissions
          ingress: matched

  - name: sg-0987654321-ipv6
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::1234567890:role/custo_role
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
            - type: value
              key: GroudId
              value: "sg-0987654321"
              op: in
            - type: ingress
              OnlyPorts: [80, 443, 3000]
              CidrV6:
                value:  "::/0"
    actions:
        - type: remove-permissions
          ingress: matched

Have also tried applying and filter as below unfortunately no luck.

    filters:
        - and:
            - type: value
              key: GroudId
              value: "sg-0987654321"
              op: in
            - type: ingress
              OnlyPorts: [80, 443, 3000]
              Cidr:
                value: "0.0.0.0/0"

Please let me know where am I going wrong.

I think the answer suggested by @Chenna should solve your issue as well. — Roy, Dec 19 '19 at 10:26

Restrict only Specific Ports in Specific Security Groups using Cloud Custodian

2 Answers2