Search code examples
amazon-web-servicesamazon-ec2policycloudcustodian

Restrict only Specific Ports in Specific Security Groups using Cloud Custodian

There was already a similar question created for this. I read few of the answers but I was not able to solve the issue.I had to create a separate post for this since I didn't have enough reputation points to reply to a user in that post. The link is:- here . I want to restrict all of the ports exposed to public apart from a few security groups. For example for one of the security groups I don't want port 80 exposed to public but for a security group say "sg-123456789" I want port 80 to be open to public. How do I write a cloudcustodian policy ?

  - name: sg-123456789
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::9797979797:role/cloudcustodianrole
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
        -and:
            - type: value
              key: GroudId
              value: "sg-123456789"
              op: in
        -or:
            - type: ingress
              OnlyPorts: [80]
              Cidr:
                 value: "0.0.0.0/0"
                 op: in
            - type: ingress
              OnlyPorts: [80]
              CidrV6:
                 value:  "::/0"
                 op: in
    actions:
        - type: remove-permissions
          ingress: matched

  - name: sg-987654321
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or ::/0 (IPv6) ingress
    mode:
        type: cloudtrail
        role: arn:aws:iam::9797979797:role/cloudcustodianrole
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
        -and:
            - type: value
              key: GroudId
              value: "sg-987654321"
              op: in
        -or:
            - type: ingress
              OnlyPorts: [3000]
              Cidr:
                 value: "0.0.0.0/0"
                 op: in
            - type: ingress
              OnlyPorts: [3000]
              CidrV6:
                 value:  "::/0"
                 op: in
    actions:
        - type: remove-permissions
          ingress: matched
Solution

  • Share the screenshot of the error you're getting and You have to use separate policies for ipv4 and ipv6 for remediation mode 

        resource: security-group
    filters:
      - and:
        - type: value
          key: GroupId
          op: in
          value:
            - sg-0db5e1ab7ccccc
        - or:
         - type: ingress
           OnlyPorts: [80,443]
           Cidr:
              value: "0.0.0.0/0" 
         - type: ingress
           OnlyPorts: [80,443]
           CidrV6:
              value: "::/0"