Lock down access of MC, so that outsiders with a URL cannot access it

[galenatjpl]

The Management Console should not be accessible to anyone with the URL.
It needs to be locked down, starting from the entry point in the shared services.
This means that the necessary security groups and other necessary access rules need to be in place along the chain.

So, for example:

• Make sure there is a security group locking down access to the MC EC2, from only the venue http (ECS)
• Make sure the httpd ECS is only accessible from the venue NLB (ECS should be in private subnet)
• Make sure the venue ALB is only accessible from the shared services HTTPD
• Make sure the shared services HTTPD is only accessible from the shared services ALB
• others?

venue account reach out to shared services. See: https://unity-sds.gitbook.io/docs/developer-docs/common-services/docs/users-guide/deployment/shared-services-deployment. for instructions on how to access cross-account SSM params.

See related ticket: https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-4178

[jpl-btlunsfo]

These PRs (unity-proxy#6 & unity-cs-infra#99) should handle locking down the venue ALB per

Make sure the httpd ECS is only accessible from the venue ALB (ECS should be in private subnet)

However, this does not include moving the management console or the ECS venue services proxy to the private subnet- is that a hard requirement?

[galenatjpl]

@jpl-btlunsfo The Management Console EC2 is already inside a private subnet. I just verified this on unity-venue-dev. The ECS venue proxy is in the public subnet, but I think this is okay for now. I'm not sure if there is a hard requirement to move this at this time. I know that moving the ECS into a private subnet is mentioned in the description of this ticket, but I feel like perhaps that is too much change at this time. If you think it is easy, and wouldn't impact too many things, then lets do it. If you feel like that the juice isn't worth the squeeze at this point, then let's re-write the description of this ticket, and open a future ticket to investigate this. The overall point of this ticket is to make sure things are locked down, and that may or may not require certain components to actually be in private subnets.

[jpl-btlunsfo]

Should be wrapped up by PR unity-sds/unity-proxy#11!