Restrict Security Groups - CS

[mike-gangl]

We must not allow open access (0.0.0.0) to common ports via security groups.

https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-3779

This is a 2 part ticket:

Cleanup unused security groups - there are many, many security groups across all of our accounts. We must clean up un-used security groups in all unity accounts. Please find your security groups not in use and delete them. Some notes: We should not be using "lunch wizard" security groups. Security groups should have a name- groups without a name will be deleted/removed. Please use the TAGS for all resources- including security groups.
Remove unrestricted access to common ports via security groups. no unfettered access to your applications. This means locking down access to load balancers to the API gateway and the HTTPd proxies, most likely. Internal traffic should be limited to the VPC.
Please reach out to me for any questions or concerns.

This is a priority to cleanup and fix. The fixes should be ready and deployed in ALL ACCOUNTS by the end of Sprint 4.

[galenatjpl]

@jpl-btlunsfo and/or @ramesh-maddegoda , I don't think we are creating any 0.0.0.0 open access in security groups. Can you please confirm? I think this ticket can be closed now, or perhaps after a new round of deployments to venues, and a re-scan of the SGs.

[jpl-btlunsfo]

Unfortunately, no- a few come to mind.

The unity-proxy lambda security group is wide open:
https://github.com/unity-sds/unity-proxy/blob/62fb11745461ee2c7383ae5ccbf1a7214a3a3504/terraform-unity/lambda.tf#L28-L40
and I guess, could be locked down/limited to just the management console, and perhaps all JPL addresses (so as to allow us to manually trigger outside of management console if necessary).

There's also the ALB access sg for the unity-proxy service, which is currently wide open, but should be locked down as part of unity-sds/unity-cs#431 's usage of the vpc peering
https://github.com/unity-sds/unity-proxy/blob/62fb11745461ee2c7383ae5ccbf1a7214a3a3504/terraform-unity/networking.tf#L113-L121

There's also a number of references in unity-cs-infra, but i'm not sure if they're currently in operation:
https://github.com/search?q=repo%3Aunity-sds%2Funity-cs-infra+0.0.0.0+path%3A*.tf&type=code

[jpl-btlunsfo]

All 0.0.0.0/0 access security groups in unity-proxy have been removed, per unity-sds/unity-proxy#11, except for the proxy reconfig lambda's security groups (as I'm not sure what we should/would want to limit those to).

[jpl-btlunsfo]

Per discussion, the de-restriction (opening 0.0.0.0/0) has been removed once more, so unity-proxy is properly locked down to only allow shared-services.