3

I have the following AWS Architecture:

enter image description here

The lambdas can be triggered by API Gateway, SNS, or SQS.

I tried to close as much as possible the IPs and Ports of the Security Groups and ACL of Lambda and RDS Infrastructure.

The SG and NACL of the RDS are very closed, it only allows the Lambda to access it, but the Lambda Security Group and NACL are opening 0.0.0.0/0 Inbound/Outbound.

See the following structure:

enter image description here

enter image description here

enter image description here

enter image description here

  • A NAT gateway uses ports 1024-65535.
  • AWS Lambda functions use ports 1024-65535.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

API Gateway supports the following endpoint ports: 80, 443 and 1024-65535.

https://docs.aws.amazon.com/apigateway/latest/developerguide/setup-http-integrations.html

I used VPC Flow to see what IPs and Ports were entering the Lambda Subnet, and what I could understand that they were dynamic and they keep changing.

I found in many recommendations that you shouldn't use 0.0.0.0/0 and should close as much as possible the IPs and ports, how can I close even more my Security for this architecture?

I also found this link that creates a lambda to dynamically creates the rules-based in the IP list from amazon. Is that the best way to do this?

https://blog.rowanudell.com/updating-security-groups-with-lambda/

Leonardo Campanha
  • 257
  • 4
  • 11
  • You could consider using VPC Endpoints as suggested here: https://www.alexdebrie.com/posts/aws-lambda-vpc/ – kevin Feb 08 '23 at 10:13

1 Answers1

1

You have done a lot of provisions for security, but for a production account, For further bulletproofing, I will suggest you should not only focus on ip/ports and ACL but evaluate other infrastructural components too.

You are using a lot of AWS infra elements and those also need to be assessed for misconfiguration.

For assessment of the security posture of your architecture/deployment, I will suggest the following.

  1. Execute the CIS/GDPR compliance check on your account using open source tool prowler.

https://github.com/toniblyx/prowler

CIS benchmark for refernce: https://www.cisecurity.org/benchmark/amazon_web_services/

Resolve the scored finding on high priority.

  1. Enable and Configure the AWS Config rules (AWS provided rules) to keep a check on activities going on in your account and have a sort of dynamic compliance implemented. Enable SNS notification for new findings.

https://aws.amazon.com/config/#:~:text=AWS%20Config%20is%20a%20service,recorded%20configurations%20against%20desired%20configurations.

https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html

  1. Enable AWS Security hub and enable the following checks:
AWS Foundational Security Best Practices 
AWS Inspector assessment 
CIS AWS Foundations Benchmark v1.2.0 
PCI DSS
  1. Enable auditing by enabling cloud trail logs for your account/region.

Regards Amit Meena

Amit Meena
  • 2,884
  • 2
  • 21
  • 33
  • Thank you for the Security Tips Amit Meena, I tried to use prowler and it shows many security points, and shows "found that allow 0.0.0.0 IN or OUT traffic" and the remediation: "Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.". But doesn't show how no narrow down the IPs and Ports. I did a little reading in Security Hub, and apparently also just point that has a problem, but I could not find how to fix this. – Leonardo Campanha Apr 16 '21 at 13:10
  • Wow!! that's a great step @ Leonardo I agree Prowler points out the gap but doe not suggest detailed remediation. For detailed remediation steps, I will suggest please download CIS Amazone benchmark: https://www.cisecurity.org/benchmark/amazon_web_services/ and go through the remediation steps provided. – Amit Meena Apr 16 '21 at 13:21