How to increase IPs/Ports Security in AWS Security Groups and Network ACL?

Question

I have the following AWS Architecture:

The lambdas can be triggered by API Gateway, SNS, or SQS.

I tried to close as much as possible the IPs and Ports of the Security Groups and ACL of Lambda and RDS Infrastructure.

The SG and NACL of the RDS are very closed, it only allows the Lambda to access it, but the Lambda Security Group and NACL are opening 0.0.0.0/0 Inbound/Outbound.

See the following structure:

• A NAT gateway uses ports 1024-65535.
• AWS Lambda functions use ports 1024-65535.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

API Gateway supports the following endpoint ports: 80, 443 and 1024-65535.

https://docs.aws.amazon.com/apigateway/latest/developerguide/setup-http-integrations.html

I used VPC Flow to see what IPs and Ports were entering the Lambda Subnet, and what I could understand that they were dynamic and they keep changing.

I found in many recommendations that you shouldn't use 0.0.0.0/0 and should close as much as possible the IPs and ports, how can I close even more my Security for this architecture?

I also found this link that creates a lambda to dynamically creates the rules-based in the IP list from amazon. Is that the best way to do this?

https://blog.rowanudell.com/updating-security-groups-with-lambda/

Answer 1

You have done a lot of provisions for security, but for a production account, For further bulletproofing, I will suggest you should not only focus on ip/ports and ACL but evaluate other infrastructural components too.

You are using a lot of AWS infra elements and those also need to be assessed for misconfiguration.

For assessment of the security posture of your architecture/deployment, I will suggest the following.

1. Execute the CIS/GDPR compliance check on your account using open source tool prowler.

https://github.com/toniblyx/prowler

CIS benchmark for refernce: https://www.cisecurity.org/benchmark/amazon_web_services/

Resolve the scored finding on high priority.

2. Enable and Configure the AWS Config rules (AWS provided rules) to keep a check on activities going on in your account and have a sort of dynamic compliance implemented. Enable SNS notification for new findings.

https://aws.amazon.com/config/#:~:text=AWS%20Config%20is%20a%20service,recorded%20configurations%20against%20desired%20configurations.

https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html

3. Enable AWS Security hub and enable the following checks:

AWS Foundational Security Best Practices 
AWS Inspector assessment 
CIS AWS Foundations Benchmark v1.2.0 
PCI DSS

4. Enable auditing by enabling cloud trail logs for your account/region.

Regards Amit Meena