chore: Limit ingress and egress traffic (#65)

hayk99 · web-flow · commit 00421fe49322 · 2022-02-17T10:34:40.000+01:00
* chore: limit ingress and egress traffic

* chore: remove http egress rule
diff --git a/examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md b/examples-internal/organizational-k8s-threat-reuse_cloudtrail_s3/README.md
@@ -81,7 +81,7 @@ Notice that:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.1.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.4.1 |
 
 ## Modules
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
@@ -81,8 +81,8 @@ Notice that:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.0.0 |
-| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.1.0 |
+| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | 4.1.0 |
 
 ## Modules
 
diff --git a/examples/single-account-k8s/README.md b/examples/single-account-k8s/README.md
@@ -72,7 +72,7 @@ Notice that:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.1.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.4.1 |
 
 ## Modules
diff --git a/examples/trigger-events/README.md b/examples/trigger-events/README.md
@@ -47,7 +47,7 @@ Notice that:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.1.0 |
 
 ## Modules
 
diff --git a/modules/services/cloud-connector/sec-group.tf b/modules/services/cloud-connector/sec-group.tf
@@ -4,19 +4,28 @@ resource "aws_security_group" "sg" {
 
   vpc_id = var.ecs_vpc_id
 
-  # allow all (protocol -1, from 0, to 0)
-  #  ingress {
-  #    from_port   = 0
-  #    protocol    = "-1"
-  #    to_port     = 0
-  #    cidr_blocks = ["0.0.0.0/0"]
-  #  }
+  # Allow outbound DNS traffic over UDP and TCP
+  # Used by the ECS task to retrieve secrets from SSM
+  egress {
+    from_port   = 53
+    protocol    = "udp"
+    to_port     = 53
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 53
+    protocol    = "tcp"
+    to_port     = 53
+    cidr_blocks = ["0.0.0.0/0"]
+  }
 
-  # allow all
+  # Allow outbound HTTPS traffic over TCP
+  # Used by Cloud Connector to send events to https://secure.sysdig.com
   egress {
-    from_port   = 0
-    protocol    = "-1"
-    to_port     = 0
+    from_port   = 443
+    protocol    = "tcp"
+    to_port     = 443
     cidr_blocks = ["0.0.0.0/0"]
   }
 
diff --git a/test/fixtures/single-account/foo.bar b/test/fixtures/single-account/foo.bar
