security: narrow internal ingress CIDR (JIRA-4521) #412
Conversation
|
🚀 env0 had composed a PR Plan for environment Terraform Example / production : Plan DetailsTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
! update in-place
Terraform will perform the following actions:
# module.api_access[0].aws_security_group.customer_access will be updated in-place
! resource "aws_security_group" "customer_access" {
id = "sg-085ee012c9855643f"
! ingress = [
- {
- cidr_blocks = [
- "192.0.2.56/32",
]
- description = "Initech"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
+ {
+ cidr_blocks = [
+ "192.0.2.56/31",
]
+ description = "Initech"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
# (4 unchanged elements hidden)
]
name = "customer-api-access"
tags = {
"Environment" = "production"
"Name" = "customer-api-access"
"Purpose" = "customer-whitelist"
"Team" = "platform"
"UpdateFrequency" = "high"
}
# (7 unchanged attributes hidden)
}
# module.api_access[0].aws_security_group.internal_services will be updated in-place
! resource "aws_security_group" "internal_services" {
id = "sg-08c3767d4eeede7b5"
! ingress = [
- {
- cidr_blocks = [
- "10.0.0.0/8",
]
- description = "Health check endpoint"
- from_port = 8080
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 8080
},
- {
- cidr_blocks = [
- "10.0.0.0/8",
]
- description = "Internal HTTPS - monitoring, service mesh, internal tools"
- from_port = 443
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 443
},
- {
- cidr_blocks = [
- "10.0.0.0/8",
]
- description = "Prometheus metrics scraping"
- from_port = 9090
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = []
- self = false
- to_port = 9090
},
+ {
+ cidr_blocks = [
+ "10.0.0.0/16",
]
+ description = "Health check endpoint"
+ from_port = 8080
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 8080
},
+ {
+ cidr_blocks = [
+ "10.0.0.0/16",
]
+ description = "Internal HTTPS - monitoring, service mesh, internal tools"
+ from_port = 443
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 443
},
+ {
+ cidr_blocks = [
+ "10.0.0.0/16",
]
+ description = "Prometheus metrics scraping"
+ from_port = 9090
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = false
+ to_port = 9090
},
]
name = "internal-services"
tags = {
"Critical" = "true"
"Environment" = "production"
"Name" = "internal-services"
"Purpose" = "internal-mesh"
"Team" = "platform"
"UpdateFrequency" = "low"
}
# (7 unchanged attributes hidden)
}
# module.heritage[0].aws_rds_cluster.face_database will be updated in-place
! resource "aws_rds_cluster" "face_database" {
id = "facial-recognition-terraform-example"
tags = {}
# (46 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 3 to change, 0 to destroy.
|
|
Open in Overmind ↗
🟢 Change SignalsRoutine 🟢 🔥 RisksCIDR expansion from /32 to /31 will newly allow 192.0.2.57 to reach TCP 443 on a public production instance This expands network-level access from a single host to two hosts (192.0.2.56 and 192.0.2.57). As a result, 192.0.2.57 will be newly allowed to reach the API/HTTPS endpoint on port 443. If 192.0.2.57 is not an approved source, this change violates the intended single-IP whitelist and increases the external attack surface and compliance exposure. Ingress CIDR narrowing on sg-08c3767d4eeede7b5 will block cross‑VPC health checks and monitoring from 10.50.0.0/16 When applied, traffic originating from 10.50.0.0/16—including NLB health checks and any monitoring/Prometheus clients—will be blocked by the SG because 10.50.0.0/16 no longer matches 10.0.0.0/16. The target will be marked unhealthy and metrics and internal HTTPS/service-mesh calls from the monitoring VPC will fail. External ALB HTTP:80 traffic remains unaffected, but cross-VPC health checks and observability paths will break. 🟣 Expected Changes~ ec2-security-group › sg-085ee012c9855643f--- current
+++ proposed
@@ -22,5 +22,5 @@
to_port: 443
- cidr_blocks:
- - 192.0.2.56/32
+ - 192.0.2.56/31
description: Initech
from_port: 443
~ ec2-security-group › sg-08c3767d4eeede7b5--- current
+++ proposed
@@ -15,5 +15,5 @@
ingress:
- cidr_blocks:
- - 10.0.0.0/8
+ - 10.0.0.0/16
description: Health check endpoint
from_port: 8080
@@ -22,5 +22,5 @@
to_port: 8080
- cidr_blocks:
- - 10.0.0.0/8
+ - 10.0.0.0/16
description: Internal HTTPS - monitoring, service mesh, internal tools
from_port: 443
@@ -29,5 +29,5 @@
to_port: 443
- cidr_blocks:
- - 10.0.0.0/8
+ - 10.0.0.0/16
description: Prometheus metrics scraping
from_port: 9090
💥 Blast RadiusItems Edges |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Summary
Context
Testing
Rollout / Risk