From 5a456c76165204c16b7c133ae8e5bcc26803cc13 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Tue, 30 Mar 2021 19:31:23 +0200 Subject: [PATCH 1/3] CIS guide: VPC updates The CIS Service Catalog now has a VPC service. This change makes the necessary related updates to the CIS guide. --- ...w-to-achieve-cis-benchmark-compliance.adoc | 139 +++++++----------- 1 file changed, 57 insertions(+), 82 deletions(-) diff --git a/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc b/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc index fbad6e1eb..a88b5309c 100644 --- a/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc +++ b/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc @@ -715,7 +715,7 @@ security groups, and remote access. Moreover, our link:https://gruntwork.io/refe Architecture] can get you up and running with a secure network configuration immediately. Recommendation 5.1 requires that you use Network ACL rules to block all access to the remote server administration ports, such as SSH to port 22 and Remote -Desktop to port 3389, by default. You can then add additional NACL rules to allow remote admin access, but only from specific CIDR blocks. Recommendation 5.2 similarly allows you tallow remote admin access from specific CIDR blocks in your Security Groups. Note that allowing remote admin access from all IPs (`0.0.0.0/0`) is NOT allowed, so instead, if you require SSH or Remote Desktop to your cloud resources, provide a more restricted CIDR +Desktop to port 3389, by default. You can then add additional NACL rules to allow remote admin access, but only from specific CIDR blocks. Recommendation 5.2 similarly allows you to allow remote admin access from specific CIDR blocks in your Security Groups. Note that allowing remote admin access from all IPs (`0.0.0.0/0`) is NOT allowed, so instead, if you require SSH or Remote Desktop to your cloud resources, provide a more restricted CIDR range, such as the IP addresses of your offices. To meet recommendation 5.3, run the link:https://github.com/gruntwork-io/cloud-nuke[`cloud-nuke defaults-aws`] command @@ -1218,42 +1218,27 @@ module] to create KMS keys with key rotation enabled by default. ==== Create VPC flow logs The Benchmark recommends enabling link:https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html[VPC Flow Logs] for all VPCs in all regions. You can use the -link:https://github.com/gruntwork-io/terraform-aws-vpc/blob/master/modules/vpc-flow-logs/README.md[`vpc-flow-logs` core module] -to create a flow log for a given VPC. For example, you might first create a VPC using `terraform-aws-vpc`: +link:https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/modules/networking/vpc[`vpc` service] +in the CIS Service Catalog to create your VPCs. This service is configured for CIS compliance, and as such has VPC flow +logs enabled. For example, you might create a VPC using the VPC service: .infrastructure-modules/networking/vpc/myvpc/main.tf [source,hcl] ---- -data "aws_availability_zones" "all" {} module "vpc" { - # Replace with the most recent release from the https://github.com/gruntwork-io/terraform-aws-vpc/releases[releases page]: - source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-flow-logs?ref=" - - vpc_name = var.vpc_name - aws_region = var.aws_region - - cidr_block = var.cidr_block - num_nat_gateways = var.num_nat_gateways - num_availability_zones = length(data.aws_availability_zones.all.names) + # Replace with the most recent release from https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases + source = "git::git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/networking/vpc?ref=" + + vpc_name = var.vpc_name + aws_region = var.aws_region + cidr_block = var.cidr_block + num_nat_gateways = var.num_nat_gateways + allow_administrative_remote_access_cidrs_public_subnets = var.allow_administrative_remote_access_cidrs_public_subnets } ---- -Then create a Flow Log for the VPC: - -.infrastructure-modules/networking/vpc/myvpc/main.tf -[source,hcl] ----- -module "flow_logs" { - source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-flow-logs?ref=" - - # We refer to the VPC ID created by the module above - vpc_id = module.vpc.vpc_id - kms_key_users = var.kms_key_users -} ----- - -All that's remaining is to define the parameters in a `variables.tf`: +Under the hood, the service will enable VPC flow logs. All that's remaining is to define the parameters in a `variables.tf`: .infrastructure-modules/networking/vpc/myvpc/variables.tf [source,hcl] @@ -1268,14 +1253,31 @@ variable "vpc_name" { type = string } -variable "kms_key_users" { - description = "A list of IAM user ARNs with access to the KMS key used with the VPC flow logs. Required if kms_key_arn is not defined." - type = list(string) +variable "cidr_block" { + description = "The IP address range of the app VPC in CIDR notation." + type = string +} + +variable "num_nat_gateways" { + description = "The number of NAT Gateways to launch for this VPC." + type = number +} + +variable "allow_administrative_remote_access_cidrs_public_subnets" { + description = "A map of CIDR blocks that will be allowed to access to administrative ports (e.g., SSH, RDP) in the public subnet tier." + type = map(string) + + # Example: + # + # default = { + # UsOffice = "1.2.3.4/32" + # EuOffice = "5.6.7.8/32" + # } } ---- -Refer to the flow logs -link:https://github.com/gruntwork-io/terraform-aws-vpc/blob/master/examples/vpc-flow-logs/main.tf[example code]. +Refer to the VPC +link:https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/examples/for-learning-and-testing/networking/vpc/terraform[example code]. To limit the number of flow logs, you may want to use the link:https://github.com/gruntwork-io/cloud-nuke[`cloud-nuke defaults-aws`] command. It will remove the default VPC from @@ -1299,16 +1301,16 @@ setup a subscriber to the SNS topics that are created. [[configure_networking]] === Configure networking -If you're using Gruntwork's link:https://github.com/gruntwork-io/terraform-aws-vpc[VPC module] for your VPCs, two -of the four recommendations in this section are already taken care of! By default, none of our modules allow -security groups to access to ports 22 or 3389 from the world, and our architecture has a least-privileges-based routing -configuration by default. +To ensure all the networking recommendations are satisfied, use the +link:https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/modules/networking/vpc[`vpc`] (and/or +link:https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/modules/networking/vpc-mgmt[`vpc-mgmt`]) +service from Gruntwork's CIS Service Catalog to create all your VPCs. These services are specifically configured for +CIS compliance, and as such they don't allow security groups to access to ports 22 or 3389 from the world. In addition, +our architecture has a least-privileges-based routing configuration by default. -To meet the 5.1 recommendation, you need to create your Network ACL Rules for the VPC-App using the -link:https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/modules/vpc-app-network-acls[`vpc-app-network-acls` -module] and your NACL Rules for the VPC-Mgmt (which is being deprecated) using the -link:https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/modules/vpc-mgmt-network-acls[`vpc-mgmt-network-acls` -module]. For example, you might first create a VPC using `terraform-aws-vpc`: +To meet the 5.1 recommendation, you'll need to provide values for the `allow_administrative_remote_access_*` variables +when creating VPCs. These variables are used to create appropriate Network ACL Rules. For example, you might create a +VPC using the `vpc` service from `terraform-aws-cis-service-catalog`: ---- infrastructure-modules @@ -1322,44 +1324,17 @@ infrastructure-modules .infrastructure-modules/networking/vpc/myvpc/main.tf [source,hcl] ---- -data "aws_availability_zones" "all" {} - module "vpc" { - # Replace with the most recent release from the https://github.com/gruntwork-io/terraform-aws-vpc/releases[releases page]: - source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-app?ref=" - - vpc_name = var.vpc_name - aws_region = var.aws_region - - cidr_block = var.cidr_block - num_nat_gateways = var.num_nat_gateways - num_availability_zones = length(data.aws_availability_zones.all.names) -} ----- - -Then add the Network ACL rules for the VPC: - -.infrastructure-modules/networking/vpc/myvpc/main.tf -[source,hcl] ----- -module "vpc_network_acls" { - # Replace with the most recent release from the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases[releases page]: - source = "git::git@github.com:gruntwork-io/.git/terraform-aws-cis-service-catalog/modules/vpc-app-network-acls?ref=" - - vpc_id = module.vpc.vpc_id - vpc_name = module.vpc.vpc_name - vpc_ready = module.vpc.vpc_ready - num_subnets = module.vpc.num_availability_zones - - public_subnet_ids = module.vpc.public_subnet_ids - private_app_subnet_ids = module.vpc.private_app_subnet_ids - private_persistence_subnet_ids = module.vpc.private_persistence_subnet_ids + # Replace with the most recent release from the https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases: + source = "git::git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/networking/vpc?ref=" - public_subnet_cidr_blocks = module.vpc.public_subnet_cidr_blocks - private_app_subnet_cidr_blocks = module.vpc.private_app_subnet_cidr_blocks - private_persistence_subnet_cidr_blocks = module.vpc.private_persistence_subnet_cidr_blocks + # Set the basic required variables first + vpc_name = var.vpc_name + aws_region = var.aws_region + cidr_block = var.cidr_block + num_nat_gateways = var.num_nat_gateways - # These variables are not on the terraform-aws-vpc module, they refer to the CIS v1.3 recommendation 5.1. + # Next, pass values for the allow_administrative_remote_access_* variables, thus creating the NACL rules under the hood allow_administrative_remote_access_cidrs_public_subnets = var.allow_administrative_remote_access_cidrs allow_administrative_remote_access_cidrs_private_app_subnets = { all_app_vpc_cidrs = module.vpc.vpc_cidr_block } allow_administrative_remote_access_cidrs_private_persistence_subnets = { all_app_vpc_cidrs = module.vpc.vpc_cidr_block } @@ -1424,11 +1399,11 @@ sections above. 3.5,<>,Enable AWS Config for all regions 3.6-3.7,<>,Use the Gruntwork CloudTrail wrapper module 3.8,<>,Use the KMS module -3.9,<>,Use the VPC flow logs core module +3.9,<>,Gruntwork's `vpc` service enables flow logs by default 3.10-3.11,<>,Use the Gruntwork CloudTrail wrapper module 4.1-4.15,<>,The CloudWatch Logs metrics filters wrapper module will satisfy each recommendation -5.1,<>,Use the `vpc-app-network-acls` and `vpc-mgmt-network-acls` to ensure there is no public remote access -5.2,<>,Use the Gruntwork VPC modules for a secure network configuration -5.3,<>,The cloud-nuke tool can remove all default security groups -5.4,<>,Gruntwork's VPC module creates least-privilege routing by default +5.1,<>,Use the Gruntwork `vpc` service to ensure there is no public remote access +5.2,<>,Use the Gruntwork `vpc` service for a secure network configuration +5.3,<>,The `cloud-nuke` tool can remove all default security groups +5.4,<>,Gruntwork's `vpc` service creates least-privilege routing by default |=== From 2ba864061ad5b497bc1607b8e0d63540aa28a144 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Tue, 30 Mar 2021 19:42:26 +0200 Subject: [PATCH 2/3] Fix wording --- .../2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc b/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc index a88b5309c..ff3a8c03c 100644 --- a/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc +++ b/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc @@ -1264,7 +1264,7 @@ variable "num_nat_gateways" { } variable "allow_administrative_remote_access_cidrs_public_subnets" { - description = "A map of CIDR blocks that will be allowed to access to administrative ports (e.g., SSH, RDP) in the public subnet tier." + description = "A map of CIDR blocks that will be allowed access to administrative ports (e.g., SSH, RDP) in the public subnet tier." type = map(string) # Example: @@ -1305,7 +1305,7 @@ To ensure all the networking recommendations are satisfied, use the link:https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/modules/networking/vpc[`vpc`] (and/or link:https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/tree/master/modules/networking/vpc-mgmt[`vpc-mgmt`]) service from Gruntwork's CIS Service Catalog to create all your VPCs. These services are specifically configured for -CIS compliance, and as such they don't allow security groups to access to ports 22 or 3389 from the world. In addition, +CIS compliance, and as such they don't allow security groups to access ports 22 or 3389 from the world. In addition, our architecture has a least-privileges-based routing configuration by default. To meet the 5.1 recommendation, you'll need to provide values for the `allow_administrative_remote_access_*` variables From bce2272f30d62be0873b0cd2a6a84d5a58bdc4ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ana=20Krivokapi=C4=87?= Date: Wed, 31 Mar 2021 12:08:47 +0200 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Yoriyasu Yano <430092+yorinasub17@users.noreply.github.com> --- ...-10-17-how-to-achieve-cis-benchmark-compliance.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc b/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc index ff3a8c03c..f2743a064 100644 --- a/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc +++ b/_posts/2019-10-17-how-to-achieve-cis-benchmark-compliance.adoc @@ -1399,11 +1399,11 @@ sections above. 3.5,<>,Enable AWS Config for all regions 3.6-3.7,<>,Use the Gruntwork CloudTrail wrapper module 3.8,<>,Use the KMS module -3.9,<>,Gruntwork's `vpc` service enables flow logs by default +3.9,<>,Use the Gruntwork CIS-compliant `vpc` service to provision VPCs with flow logs enabled 3.10-3.11,<>,Use the Gruntwork CloudTrail wrapper module 4.1-4.15,<>,The CloudWatch Logs metrics filters wrapper module will satisfy each recommendation -5.1,<>,Use the Gruntwork `vpc` service to ensure there is no public remote access -5.2,<>,Use the Gruntwork `vpc` service for a secure network configuration -5.3,<>,The `cloud-nuke` tool can remove all default security groups -5.4,<>,Gruntwork's `vpc` service creates least-privilege routing by default +5.1,<>,Use the Gruntwork CIS-compliant `vpc` service to ensure there is no public remote access +5.2,<>,Use the Gruntwork CIS-compliant `vpc` service for a secure network configuration +5.3,<>,Use the `cloud-nuke` tool to remove all default security groups +5.4,<>,Use the Gruntwork CIS-compliant `vpc` service to configure least-privilege routing by default |===