Skip to content
/ security-group-manager Public

🔐 AWS Security Group Management Lambda 🔐

License

MIT license
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ReasonSoftware/security-group-manager

BranchesTags

Repository files navigation

security-group-manager

Release Go Report Card Release License

An AWS Lambda to maintain whitelist rules on Security Groups.

PIC

Features

  • Manage trusted CIDRs in one place.
  • Manage some or all of the rules in a security group automatically.
  • Mix multiple protocols on a security group.
  • Define your own custom protocols.

Manual

Tag a security group with <protocol-name>=managed that matches of the protocols from a configuration.

Install

  1. Download latest release and extract the archive

  2. Create AWS Secrets Manager Secret with the sample/custom configuration:

    Sample Configuration 
    {
    "protocols": {
        "http": {
            "transport": "tcp",
            "from_port": 80,
            "to_port": 80
        },
        "https": {
            "transport": "tcp",
            "from_port": 443,
            "to_port": 443
        },
        "ssh": {
            "transport": "tcp",
            "from_port": 22,
            "to_port": 22
        },
        "rdp": {
            "transport": "tcp",
            "from_port": 3389,
            "to_port": 3389
        }
    },
    "rules": [
        {
            "cidr": "34.226.14.13/32",
            "note": "Primary VPN"
        },
        {
            "cidr": "52.15.127.128/27",
            "note": "UK Office"
        },
        {
            "cidr": "35.158.136.0/22",
            "note": "US Office"
        },
        {
            "cidr": "52.57.254.0/29",
            "note": "IL Office"
        },
        {
            "cidr": "13.54.63.128/32",
            "note": "Backup VPN"
        }
    ]
}

  3. Update serverless.yaml

    • Secret Name: Fill in you secret name under environment/SECRET
    • Secrets Manager Permissions: Update iamRoleStatements/Resource to contain your secret name or full ARN.
    • Lambda is configured to run periodically every half an hour, you may change that under functions/app/schedule.
    Optional Configuration

    You may tweak the Lambda's behavior via additional environmental variables:

    • DEBUG=true - Enable verbose logs
    • LOCAL=true - Toggle to execute outside of AWS Lambda environment (useful during local development)
    • OPERATIONAL_REGION=<region> - Region in which lambda should manage the security groups. This allows to manage multiple regions from multiple lambdas deployed in a single region (default: us-east-1)
    • SECRET_REGION=<region> - Secrets Manager region in which a whitelist secret is created. Allows to maintain a single source of truth for lambdas deployed in multiple regions (default: us-east-1)

  4. Deploy with: serverless deploy --stage prod or create Lambda manually

In order to use latest version (master branch), you may clone the repository and compile the project by running make release before deploying it

Notes

  • You may build the project for linux/amd64 using Go or handy make scripts on Linux/MacOS workstation:
    • make lint - Lint project
    • make test - Execute unit tests
    • make - Lint + Unit Test + Vendor
    • make codecov - Open code-coverage report
    • make release - Compile project

License

MIT © 2020 Reason Cybersecurity Ltd.

About

🔐 AWS Security Group Management Lambda 🔐

Topics

aws security devops lambda whitelist firewall

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

4 stars

Watchers

7 watching

Forks

0 forks
Report repository

Releases 8

v1.1.4 Latest
Jul 5, 2021
+ 7 releases

Contributors 3

  •  
  •  
  •  

Languages