security-group-manager

command module

v1.1.4 Latest Latest Go to latest Published: Jul 5, 2021 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ReasonSoftware/security-group-manager

Links

Open Source Insights

README ¶

security-group-manager

An AWS Lambda to maintain whitelist rules on Security Groups.

Features

Manage trusted CIDRs in one place.
Manage some or all of the rules in a security group automatically.
Mix multiple protocols on a security group.
Define your own custom protocols.

Manual

Tag a security group with <protocol-name>=managed that matches of the protocols from a configuration.

Install

Download latest release and extract the archive

Create AWS Secrets Manager Secret with the sample/custom configuration:

Sample Configuration

{
    "protocols": {
        "http": {
            "transport": "tcp",
            "from_port": 80,
            "to_port": 80
        },
        "https": {
            "transport": "tcp",
            "from_port": 443,
            "to_port": 443
        },
        "ssh": {
            "transport": "tcp",
            "from_port": 22,
            "to_port": 22
        },
        "rdp": {
            "transport": "tcp",
            "from_port": 3389,
            "to_port": 3389
        }
    },
    "rules": [
        {
            "cidr": "34.226.14.13/32",
            "note": "Primary VPN"
        },
        {
            "cidr": "52.15.127.128/27",
            "note": "UK Office"
        },
        {
            "cidr": "35.158.136.0/22",
            "note": "US Office"
        },
        {
            "cidr": "52.57.254.0/29",
            "note": "IL Office"
        },
        {
            "cidr": "13.54.63.128/32",
            "note": "Backup VPN"
        }
    ]
}

Update serverless.yaml
- Secret Name: Fill in you secret name under environment/SECRET
- Secrets Manager Permissions: Update iamRoleStatements/Resource to contain your secret name or full ARN.
- Lambda is configured to run periodically every half an hour, you may change that under functions/app/schedule.
Optional Configuration

You may tweak the Lambda's behavior via additional environmental variables:
- DEBUG=true - Enable verbose logs
- LOCAL=true - Toggle to execute outside of AWS Lambda environment (useful during local development)
- OPERATIONAL_REGION=<region> - Region in which lambda should manage the security groups. This allows to manage multiple regions from multiple lambdas deployed in a single region (default: us-east-1)
- SECRET_REGION=<region> - Secrets Manager region in which a whitelist secret is created. Allows to maintain a single source of truth for lambdas deployed in multiple regions (default: us-east-1)
Deploy with: serverless deploy --stage prod or create Lambda manually

In order to use latest version (master branch), you may clone the repository and compile the project by running make release before deploying it

Notes

You may build the project for linux/amd64 using Go or handy make scripts on Linux/MacOS workstation:
- make lint - Lint project
- make test - Execute unit tests
- make - Lint + Unit Test + Vendor
- make codecov - Open code-coverage report
- make release - Compile project

License

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
internal
app
mocks
pkg
sg

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL