-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #148 from Skyscanner/add-kinesis-data-firehose-ips…
…-filter Rule Config for Kinesis Data Firehose IPs
- Loading branch information
Showing
6 changed files
with
124 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
from cfripper.config.rule_config import RuleConfig | ||
from cfripper.config.rule_configs.firehose_ips import firehose_ips_rules_config_filter | ||
from cfripper.model.enums import RuleMode | ||
|
||
RULES_CONFIG = { | ||
"EC2SecurityGroupMissingEgressRule": RuleConfig(rule_mode=RuleMode.DISABLED), | ||
"EC2SecurityGroupOpenToWorldRule": RuleConfig(filters=[firehose_ips_rules_config_filter]), | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
from cfripper.config.filter import Filter | ||
from cfripper.model.enums import RuleMode | ||
|
||
""" | ||
To use this RuleConfig, or any RuleConfig, make sure to include it in the `Config` instantiation. | ||
```python | ||
RULES_CONFIG = { | ||
"EC2SecurityGroupOpenToWorldRule": RuleConfig( | ||
filters=[firehose_ips_rules_config_filter] | ||
) | ||
} | ||
config = Config( | ||
... | ||
rules_config=RULES_CONFIG, | ||
) | ||
``` | ||
""" | ||
|
||
# Adapted from https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html | ||
FIREHOSE_IPS = { | ||
"13.113.196.224/27", # Asia Pacific (Tokyo) | ||
"13.209.1.64/27", # Asia Pacific (Seoul) | ||
"13.210.67.224/27", # Asia Pacific (Sydney) | ||
"13.228.64.192/27", # Asia Pacific (Singapore) | ||
"13.232.67.32/27", # Asia Pacific (Mumbai) | ||
"13.244.121.224/277", # Africa (Cape Town) | ||
"13.53.63.224/27", # Europe (Stockholm) | ||
"13.57.135.192/27", # US West (N. California) | ||
"13.58.135.96/27", # US East (Ohio) | ||
"15.161.135.128/27", # Europe (Milan) | ||
"15.185.91.0/27", # Middle East (Bahrain) | ||
"161.189.23.64/27", # China (Ningxia) | ||
"18.130.1.96/27", # Europe (London) | ||
"18.162.221.32/27", # Asia Pacific (Hong Kong) | ||
"18.228.1.128/27", # South America (São Paulo) | ||
"18.253.138.96/27", # AWS GovCloud (US-East) | ||
"35.158.127.160/27", # Europe (Frankfurt) | ||
"35.180.1.96/27", # Europe (Paris) | ||
"35.183.92.128/27", # Canada (Central) | ||
"52.19.239.192/27", # Europe (Ireland) | ||
"52.61.204.160/27", # AWS GovCloud (US-West) | ||
"52.70.63.192/27", # US East (N. Virginia) | ||
"52.81.151.32/27", # China (Beijing) | ||
"52.89.255.224/27", # US West (Oregon) | ||
} | ||
|
||
firehose_ips_rules_config_filter = Filter( | ||
reason=( | ||
"Exclude Kinesis Data Firehose IPs to allow access from Amazon Redshift Clusters. " | ||
"See https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html" | ||
), | ||
rule_mode=RuleMode.WHITELISTED, | ||
eval={"and": [{"exists": {"ref": "ingress_ip"}}, {"in": [{"ref": "ingress_ip"}, FIREHOSE_IPS]}]}, | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletions
20
tests/test_templates/config/security_group_firehose_ips.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
{ | ||
"AWSTemplateFormatVersion": "2010-09-09", | ||
"Resources": { | ||
"RedshiftSecurityGroup": { | ||
"Properties": { | ||
"GroupDescription": "Enable TCP access on port 5439 from Firehose in eu-west-1", | ||
"SecurityGroupIngress": [ | ||
{ | ||
"CidrIp": "52.19.239.192/27", | ||
"FromPort": "5439", | ||
"IpProtocol": "tcp", | ||
"ToPort": "5439", | ||
"Description": "Allows access from Firehose in eu-west-1" | ||
} | ||
] | ||
}, | ||
"Type": "AWS::EC2::SecurityGroup" | ||
} | ||
} | ||
} |