Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SAM] Improve beanstalk security: introduce new security group for skill connectors #16

Closed
2 tasks
Tracked by #24
binchoo opened this issue Jul 12, 2022 · 3 comments
Closed
2 tasks
Tracked by #24

[SAM] Improve beanstalk security: introduce new security group for skill connectors #16

binchoo opened this issue Jul 12, 2022 · 3 comments
Assignees
@binchoo
Labels
arch SAM stk: paimonganyu-skill
Milestone
release 1.0.5

Comments

@binchoo
Copy link
Owner

binchoo commented Jul 12, 2022
edited
Loading

As-is:
I have my beanstalk application inside the "default VPC & subnet".

  • If the ALB endpoint is exposed accidentally, this becomes a critical security problem. Because a malicious user can request any delete operation for resources of others via the exposed URL.

To-be:

  • Make a private subnet and deploy the beanstalk app there.
  • Configure a VPC Endpoint for DynamoDB.
@binchoo binchoo added the arch label Jul 12, 2022
@binchoo binchoo self-assigned this Jul 12, 2022
@binchoo binchoo added the SAM label Jul 12, 2022
@binchoo binchoo added this to the 1.0.5 milestone Jul 21, 2022
@binchoo
Copy link
Owner Author

binchoo commented Jul 31, 2022
edited
Loading

Options:

  • VPC Links + NLB

  • Asking Kakaotalk to inform IP ranges of skill connectors + SG allowing inbound traffic from that range.
    image

  • Spring Security inspecting HTTP headers.

  • Configuring NGINX.

  • Installing a WAF at the API Gateway allowing inbound traffic from Kakaotalk's skill connectors.

@binchoo
Copy link
Owner Author

binchoo commented Aug 3, 2022
edited
Loading

Creating a new SG for ikakao proxies

SGIkakaoBotProxy:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: "Security Group allowing inbound traffic from ikakao bot proxies"
    GroupName: SGIkakaoBotProxy
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 219.249.231.40/30

PaimonGanyuSkillConfigurationTemplate:
  Type: AWS::ElasticBeanstalk::ConfigurationTemplate
  Properties:
    Description: Configuration for PaimonGanyu KAKAOTALK Skill Server
    ApplicationName: !Ref PaimonGanyuSkillApplication
    SolutionStackName: 64bit Amazon Linux 2 v3.2.16 running Corretto 11
    OptionSettings:
      ...
      - Namespace: aws:autoscaling:launchconfiguration
        OptionName: SecurityGroups
        Value: !Ref SGIkakaoBotProxy
      ...

@binchoo binchoo mentioned this issue Sep 4, 2022
Closed
2 tasks
binchoo added a commit that referenced this issue Sep 4, 2022
@binchoo
#16 #23 #24 Resolve issues
17558fe
@binchoo
Copy link
Owner Author

binchoo commented Sep 4, 2022
edited
Loading

Change of Impact

Now the security policy which #16 (comment) describes is applied.
image

@binchoo binchoo closed this as completed Sep 4, 2022
@binchoo binchoo changed the title [SAM] Improve beanstalk security: introduce new vpc and subnet. [SAM] Improve beanstalk security: introduce new security group for skill connectors Sep 4, 2022
@binchoo binchoo mentioned this issue Oct 3, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@binchoo binchoo

Labels
arch SAM stk: paimonganyu-skill
Projects
None yet
Milestone
release 1.0.5
Development

No branches or pull requests
1 participant
@binchoo