Skip to content

Latest commit

 

History

History

security_group_close_port_5432

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
__init__.py
__init__.py
 
 
constraints.txt
constraints.txt
 
 
minimum_policy.json
minimum_policy.json
 
 
requirements-dev.txt
requirements-dev.txt
 
 
requirements.txt
requirements.txt
 
 
security_group_close_port_5432.py
security_group_close_port_5432.py
 
 

README.md

Close Port 5432 for a Security Group

This job blocks public access to port 5432 for both IPv4 and IPv6 by removing all the ingress security group rules containing port 5432 in the port range and source as "0.0.0.0/0" or "::/0".

Applicable Rule

Rule ID:

5c8c25f07a550e1fb6560bc6

Rule Name:

A security group's PostgreSQL Server port (5432) is accessible through any source address

Getting Started

Prerequisites

The provided AWS credential must have access to ec2:RevokeSecurityGroupIngress, ec2:DescribeSecurityGroupRules.

You may find the latest example policy file here

Running the script

You may run this script using following commands:

  pip install -r ../../requirements.txt
  python3 security_group_close_port_5432.py

Running the tests

You may run test using following command under vss-remediation-worker-job-code-python directory:

    python3 -m pytest

Deployment

  1. Provision a Virtual Machine Create an EC2 instance to use for the worker. The minimum required specifications are 128 MB memory and 1/2 Core CPU.
  2. Setup Docker Install Docker on the newly provisioned EC2 instance. You can refer to the docs here for more information.
  3. Deploy the worker image SSH into the EC2 instance and run the command below to deploy the worker image:
  docker run --rm -it --name worker \
  -e VSS_CLIENT_ID={ENTER CLIENT ID}
  -e VSS_CLIENT_SECRET={ENTER CLIENT SECRET} \
  vmware/vss-remediation-worker:latest-python

Contributing

The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our FAQ. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch.

For more detailed information, refer to CONTRIBUTING.md.

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

Authors

  • VMware Secure State - Initial work

See also the list of contributors who participated in this project.

License

This project is licensed under the Apache License - see the LICENSE file for details