Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Get default security group from VPC

See original GitHub issue

I would like to export the default security group id from a VPC I create. In CloudFormation I would reference the VPC return value of DefaultSecurityGroup, but how would I accomplish the same using the CDK?

Issue Analytics

State:
Created 5 years ago
Reactions:3
Comments:16 (5 by maintainers)

Top GitHub Comments

19reactions

shearn89commented, Jun 24, 2020

Just about to (I think) bump into this. One use case I can see is that the CIS security benchmark for AWS dictates that all default security groups should restrict all traffic (control 4.3 - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#cis-4.3-remediation). To comply with that, it would be nice to configure the default security group as part of the CDK template.

I’ll do some reading and find out whether (a) this is already possible as @rix0rr says, or (b) needs to be added. Had to do something similar to retrieve the default IGW id, so hopefully isn’t too dissimilar.

15reactions

basverweij-ppcommented, Jan 7, 2022

@shearn89 & @AaronFinn95: FYI- I ran into this issue yesterday because of the same use case and solved it by wrapping the Vpc class and adding two custom resources that revoke the default security group’s ingress and egress rules. (As a bonus they are also restored when deleting the construct, so that it nicely rolls back in case a stack deployment fails.)

import { Stack } from 'aws-cdk-lib';
import { CfnVPC, Vpc, VpcProps } from 'aws-cdk-lib/aws-ec2';
import {
    AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId
} from 'aws-cdk-lib/custom-resources';
import { Construct } from 'constructs';

export class BaseVpc extends Vpc {

    constructor(
        scope: Construct,
        id: string,
        props: VpcProps) {

        super(
            scope,
            id,
            props);

        // Configure default security group according to "CIS AWS Foundations Benchmark controls",
        // section "4.3 – Ensure the default security group of every VPC restricts all traffic".
        // See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.3

        const cfnVpc = this.node.defaultChild as CfnVPC;

        const stack = Stack.of(this);

        const ingressParameters = {
            GroupId: cfnVpc.attrDefaultSecurityGroup,
            IpPermissions: [
                {
                    IpProtocol: '-1',
                    UserIdGroupPairs: [
                        {
                            GroupId: cfnVpc.attrDefaultSecurityGroup,
                        },
                    ],
                },
            ],
        };

        new AwsCustomResource(
            this,
            'RestrictSecurityGroupIngress',
            {
                onCreate: {
                    service: 'EC2',
                    action: 'revokeSecurityGroupIngress',
                    parameters: ingressParameters,
                    physicalResourceId: PhysicalResourceId.of(`restrict-ingress-${this.vpcId}-${cfnVpc.attrDefaultSecurityGroup}`),
                },
                onDelete: {
                    service: 'EC2',
                    action: 'authorizeSecurityGroupIngress',
                    parameters: ingressParameters,
                },
                policy: AwsCustomResourcePolicy.fromSdkCalls({
                    resources: [`arn:aws:ec2:${stack.region}:${stack.account}:security-group/${cfnVpc.attrDefaultSecurityGroup}`],
                }),
            });

        const egressParameters = {
            GroupId: cfnVpc.attrDefaultSecurityGroup,
            IpPermissions: [
                {
                    IpProtocol: '-1',
                    IpRanges: [
                        {
                            CidrIp: '0.0.0.0/0',
                        },
                    ],
                },
            ],
        };

        new AwsCustomResource(
            this,
            'RestrictSecurityGroupEgress',
            {
                onCreate: {
                    service: 'EC2',
                    action: 'revokeSecurityGroupEgress',
                    parameters: egressParameters,
                    physicalResourceId: PhysicalResourceId.of(`restrict-egress-${this.vpcId}-${cfnVpc.attrDefaultSecurityGroup}`),
                },
                onDelete: {
                    service: 'EC2',
                    action: 'authorizeSecurityGroupEgress',
                    parameters: egressParameters,
                },
                policy: AwsCustomResourcePolicy.fromSdkCalls({
                    resources: [`arn:aws:ec2:${stack.region}:${stack.account}:security-group/${cfnVpc.attrDefaultSecurityGroup}`],
                }),
            });
    }
}