Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

346 lines (315 sloc) 8.93 KB
# Note : The Cloudformation Security Group IP address is open by default (testing purpose).
# You should update Security Group Access with your own IP Address to ensure your instances security.
#
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
This template contains the Security Groups and Network Access Control
required by our entire stack. We create them in a seperate nested template,
so they can be referenced by all of the other nested templates.
Parameters:
PMServerEnv:
Description: "Server Environment name."
ConstraintDescription: "Choose an Environment from the drop down"
Type: "String"
AllowedValues:
- "dev"
- "staging"
- "prod"
PMVPC:
Description: "VPC to launch instances into"
Type: "AWS::EC2::VPC::Id"
PMNACL:
Description: "Network ACL Id"
Type: "String"
PMOWNIP:
Description: "Update this with your own office/home public ip address"
Type: "String"
Resources:
# This security group defines Nginx Web proxy host.
# By default we're just allowing access from the load balancer. If you want to SSH
# into the hosts, or expose non-load balanced services you can open their ports here.
ProxyHostSG:
Type: "AWS::EC2::SecurityGroup"
Properties:
VpcId: !Ref "PMVPC"
GroupDescription: "Web Server Security Group"
SecurityGroupIngress:
- CidrIp: !Ref "PMOWNIP"
FromPort: "22"
IpProtocol: "tcp"
ToPort: "22"
- FromPort: "443"
IpProtocol: "tcp"
SourceSecurityGroupId:
Ref: "WEBELBSG"
ToPort: "443"
- FromPort: "80"
IpProtocol: "tcp"
SourceSecurityGroupId:
Ref: "WEBELBSG"
ToPort: "80"
SecurityGroupEgress:
- IpProtocol: '-1'
CidrIp: '0.0.0.0/0'
Tags:
- Key: "Name"
Value: !Sub "${PMServerEnv}-ProxyHostSG"
# Web Proxy Server Elastic Load Balancer
WEBELBSG:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "ELB-WEBSG"
SecurityGroupEgress:
- IpProtocol: "-1"
CidrIp: "0.0.0.0/0"
SecurityGroupIngress:
- IpProtocol: 'icmp'
FromPort: '-1'
ToPort: '-1'
CidrIp: '0.0.0.0/0'
- CidrIp: "0.0.0.0/0"
FromPort: "80"
IpProtocol: "tcp"
ToPort: "80"
- CidrIp: "0.0.0.0/0"
FromPort: "443"
IpProtocol: "tcp"
ToPort: "443"
VpcId: !Ref "PMVPC"
Tags:
- Key: "Name"
Value: !Sub "${PMServerEnv}-WEBELBSG"
# App Server Security Group
# PHP-fpm (port 9001-9003)
APPHostSG:
Type: "AWS::EC2::SecurityGroup"
Properties:
VpcId: !Ref "PMVPC"
GroupDescription: "Application Server Security Group"
SecurityGroupIngress:
# This is private subnet, so you can only able to ssh once you're inside
# the public subnet host (E.g. Bastion Host).
- CidrIp: "0.0.0.0/0"
FromPort: "22"
IpProtocol: "tcp"
ToPort: "22"
- FromPort: "9001"
IpProtocol: "tcp"
SourceSecurityGroupId:
Ref: "APPELBSG"
ToPort: "9001"
- FromPort: "9002"
IpProtocol: "tcp"
SourceSecurityGroupId:
Ref: "APPELBSG"
ToPort: "9002"
- FromPort: "9003"
IpProtocol: "tcp"
SourceSecurityGroupId:
Ref: "APPELBSG"
ToPort: "9003"
SecurityGroupEgress:
- IpProtocol: '-1'
CidrIp: '0.0.0.0/0'
Tags:
- Key: "Name"
Value: !Sub "${PMServerEnv}-APPHostSG"
# AppServer Elastic Load Balancer
APPELBSG:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "ELB-APPSG"
SecurityGroupEgress:
- IpProtocol: "-1"
CidrIp: "0.0.0.0/0"
SecurityGroupIngress:
- FromPort: "9001"
IpProtocol: "tcp"
SourceSecurityGroupId:
Ref: "ProxyHostSG"
ToPort: "9001"
- FromPort: "9002"
IpProtocol: "tcp"
SourceSecurityGroupId:
Ref: "ProxyHostSG"
ToPort: "9002"
- FromPort: "9003"
IpProtocol: "tcp"
SourceSecurityGroupId:
Ref: "ProxyHostSG"
ToPort: "9003"
VpcId:
Ref: "PMVPC"
Tags:
- Key: "Name"
Value: !Sub "${PMServerEnv}-APPELBSG"
# Allow RDS connection from ECS Cluster only.
RDSSG:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "Security group for RDS DB Instance."
SecurityGroupEgress:
- IpProtocol: "-1"
CidrIp: "0.0.0.0/0"
SecurityGroupIngress:
- FromPort: "3306"
IpProtocol: "tcp"
SourceSecurityGroupId:
Ref: "APPHostSG"
ToPort: "3306"
VpcId:
Ref: "PMVPC"
Tags:
- Key: "Name"
Value: !Sub "${PMServerEnv}-RDSSG"
#####################################################################################
# Additional Firewall Protection (inbound and outbound traffic at the subnet level)
####### INBOUND HTTP Network ACL RULES ##############################################
InboundHTTPNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '100'
Protocol: "6"
RuleAction: "allow"
Egress: "false"
CidrBlock: "0.0.0.0/0"
PortRange:
From: '80'
To: '80'
####### INBOUND HTTPS Network ACL RULES #######
InboundHTTPSNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '200'
Protocol: "6"
RuleAction: "allow"
Egress: "false"
CidrBlock: "0.0.0.0/0"
PortRange:
From: '443'
To: '443'
####### INBOUND SSH Network ACL RULES #######
InboundSSHNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '300'
Protocol: "6"
RuleAction: "allow"
Egress: "false"
CidrBlock: !Ref "PMOWNIP"
PortRange:
From: '22'
To: '22'
####### INBOUND Ephemeral Ports Network ACL RULES #######
InboundEPHNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '400'
Protocol: "6"
RuleAction: "allow"
Egress: "false"
CidrBlock: "0.0.0.0/0"
PortRange:
From: '1024'
To: '65535'
####### INBOUND ICMP Network ACL RULES #######
InboundICMPNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '500'
Protocol: "1"
RuleAction: "allow"
Egress: "false"
CidrBlock: "0.0.0.0/0"
Icmp:
Code: "-1"
Type: "-1"
####### OUTBOUND HTTP Network ACL RULES #######
OutboundHTTPNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '100'
Protocol: "6"
RuleAction: "allow"
Egress: "true"
CidrBlock: "0.0.0.0/0"
PortRange:
From: '80'
To: '80'
####### OUTBOUND HTTPS Network ACL RULES #######
OutboundHTTPSNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '200'
Protocol: "6"
RuleAction: "allow"
Egress: "true"
CidrBlock: "0.0.0.0/0"
PortRange:
From: '443'
To: '443'
####### OUTBOUND SSH Network ACL RULES #######
OutboundSSHNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '300'
Protocol: "6"
RuleAction: "allow"
Egress: "true"
CidrBlock: !Ref "PMOWNIP"
PortRange:
From: '22'
To: '22'
####### OUTBOUND Ephemeral Ports Network ACL RULES #######
OutboundEPHNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '400'
Protocol: "6"
RuleAction: "allow"
Egress: "true"
CidrBlock: "0.0.0.0/0"
PortRange:
From: '1024'
To: '65535'
####### OUTBOUND ICMP Network ACL RULES #######
OutboundICMPNACL:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PMNACL"
RuleNumber: '500'
Protocol: "1"
RuleAction: "allow"
Egress: "true"
CidrBlock: "0.0.0.0/0"
Icmp:
Code: "-1"
Type: "-1"
Outputs:
ProxyHostSG:
Description: "A reference to the security group for Proxy hosts"
Value: !Ref "ProxyHostSG"
WEBELBSG:
Description: "A reference to the security group for Web ELB"
Value: !Ref "WEBELBSG"
APPHostSG:
Description: "A reference to the security group for APP hosts"
Value: !Ref "APPHostSG"
APPELBSG:
Description: "A reference to the security group for Application ELB"
Value: !Ref "APPELBSG"
RDSSG:
Description: "A reference to the security group for RDS"
Value: !Ref "RDSSG"
Export:
Name: !Sub "${PMServerEnv}-RDSSG"
You can’t perform that action at this time.