Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support for SourceSecurityGroupId under SecurityGroupEgress in AWS::EC2::SecurityGroup

See original GitHub issue

cfn-lint version: (cfn-lint --version) cfn-lint 0.7.3

Description of issue. For some reason I get:

E3002 Invalid Property Resources/LaServiceEndpointSecurityGroup/Properties/SecurityGroupEgress/0/SourceSecurityGroupId
template.yml:1483:9

for

  LaServiceEndpointSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: LaServiceEndpointSecurityGroup
      GroupDescription: Security Group for VPC endpoints in the Lambda subnets
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        SourceSecurityGroupId:
          Fn::GetAtt: [LambdaCanCallLaServiceSecurityGroup, GroupId]
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        SourceSecurityGroupId:
          Fn::GetAtt: [LambdaCanCallLaServiceSecurityGroup, GroupId]
      VpcId:
        Ref: VPC
      Tags:
        - Key: Name
          Value: LaServiceEndpointSecurityGroup
        - Key: Stage
          Value: {Ref: Stage}

The odd part is it doesn’t complain about SourceSecurityGroupId under SecurityGroupIngress only SecurityGroupEgress

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:2
  • Comments:16 (10 by maintainers)

github_iconTop GitHub Comments

2reactions
cmmeyercommented, Sep 27, 2018

Ok, that’s so WEIRD – I ran it myself and it looks like the CloudFormation workflow is treating the SourceSecurityGroupId as a DestinationSecurityGroupId. This kind of makes sense since the underlying API (AuthorizeSecurityGroupEgress) doesn’t differentiate and simply has a parameter called “GroupId”.

I’m going to cut a ticket with the CloudFormation team. Seems silly to have differentiated properties on the CFN side if they’re just going to lump them together on the API side, but I would say in general this is behavior as expected within the linter.

Are you ok with changing your template to use DestinationSecurityGroupId per the docs/spec for now and we’ll treat this a CloudFormation issue?

2reactions
kddejongcommented, Sep 27, 2018

@cmmeyer can you take this one? Looks like another case of weirdness with the documentation/spec/API.

@Hamitamaru we rely on the CloudFormation spec a lot for this. I cut and pasted the appropriate section below for reference and that property isn’t specified.

Looks like the documentation matches the spec.

So the API may take SourceSecurityGroupId. My guess is you should be using DestinationSecurityGroupId but something is still allowing SourceSecurityGroupId which isn’t documented?

    "AWS::EC2::SecurityGroup.Egress": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-rule.html",
      "Properties": {
        "CidrIp": {... },
        "CidrIpv6": { ... },
        "Description": { ... },
        "DestinationPrefixListId": { ... },
        "DestinationSecurityGroupId": { ... },
        "FromPort": { ... },
        "IpProtocol": { ... },
        "ToPort": { ... }
      }
Read more comments on GitHub >

github_iconTop Results From Across the Web

AWS::EC2::SecurityGroupIngress - AWS CloudFormation
Creates rules that grant full ICMP, UDP, and TCP access. If you specify SourceSecurityGroupName or SourceSecurityGroupId and that security group is owned by...
Read more >
SecurityGroup refers to another security group - Stack Overflow
SourceSecurityGroupName is for EC2 classic only. You are using VPC EC2 (which is recommended). Use SourceSecurityGroupId instead.
Read more >
Support for SourceSecurityGroupId under ... - GitHub
Description of issue. For some reason I get: E3002 Invalid Property Resources/LaServiceEndpointSecurityGroup/Properties/SecurityGroupEgress/0/ ...
Read more >
Unrestricted Outbound Access | Trend Micro
Check your Amazon EC2 security groups for outbound/egress rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) on any TCP/UDP ports and restrict ......
Read more >
Insecure Access Control - GuardRails
Both SecurityGroupIngress and SecurityGroupEgress Security groups with ... the more secure configuration as outlined in the examples below:.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

“E2507 IAM Policy Documents needs to be JSON” reported for JSON IAM Policy documents

Next page

Validate UpdatePolicy for AutoScalingRollingUpdate