Merge pull request #91 from phylake/sec

Security improvements

CHANGELOG.md

@@ -1,6 +1,7 @@
 **v2.2.0**
 
 - support docker registries as an alternative to S3
+- support auto scaling group egress whitelist
 - deprecated `dst_env_file`
 - added `sse_kms_key_id` for optional SSE-KMS on all porter uploads
 

commands/bootstrap/iam.go

@@ -148,6 +148,7 @@ const porterDeploymentPolicy = `{
         "cloudformation:DescribeStackResource",
         "cloudformation:DescribeStacks",
         "cloudformation:UpdateStack",
+        "ec2:AuthorizeSecurityGroupEgress",
         "ec2:AuthorizeSecurityGroupIngress",
         "ec2:CreateSecurityGroup",
         "ec2:DeleteSecurityGroup",
@@ -156,6 +157,7 @@ const porterDeploymentPolicy = `{
         "ec2:DescribeInstances",
         "ec2:DescribeSecurityGroups",
         "ec2:DescribeSubnets",
+        "ec2:RevokeSecurityGroupEgress",
         "elasticloadbalancing:AddTags",
         "elasticloadbalancing:ConfigureHealthCheck",
         "elasticloadbalancing:CreateLoadBalancer",

commands/commands.go

@@ -95,6 +95,7 @@ These commands log to STDOUT and primarily run from files/cloud-init.yaml`,
 				SubCommandList: []cli.Command{
 					help.Debug,
 					help.Issue,
+					&help.AwsNetworkCmd{},
 				},
 			},
 			&cmd.Default{

commands/help/aws_network.go

@@ -0,0 +1,125 @@
+/*
+ *  Copyright 2016 Adobe Systems Incorporated. All rights reserved.
+ *  This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License. You may obtain a copy
+ *  of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software distributed under
+ *  the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ *  OF ANY KIND, either express or implied. See the License for the specific language
+ *  governing permissions and limitations under the License.
+ */
+package help
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/adobe-platform/porter/aws/util"
+	"github.com/adobe-platform/porter/logger"
+	"github.com/phylake/go-cli"
+)
+
+type IpList struct {
+	SyncToken  string `json:"syncToken"`
+	CreateDate string `json:"createDate"`
+	Prefixes   []struct {
+		IPPrefix string `json:"ip_prefix"`
+		Region   string `json:"region"`
+		Service  string `json:"service"`
+	} `json:"prefixes"`
+	Ipv6Prefixes []struct {
+		Ipv6Prefix string `json:"ipv6_prefix"`
+		Region     string `json:"region"`
+		Service    string `json:"service"`
+	} `json:"ipv6_prefixes"`
+}
+
+type AwsNetworkCmd struct{}
+
+func (recv *AwsNetworkCmd) Name() string {
+	return "aws-network"
+}
+
+func (recv *AwsNetworkCmd) ShortHelp() string {
+	return "Get AWS network CIDRs by region"
+}
+
+func (recv *AwsNetworkCmd) LongHelp() string {
+	return `NAME
+    aws-network -- Get AWS network CIDRs by region
+
+SYNOPSIS
+    aws-network -r <region> [-s <service>]
+
+DESCRIPTION
+    Download and parse https://ip-ranges.amazonaws.com/ip-ranges.json
+
+    Print to stdout all IPv4 CIDrs matching
+    service == <service> && region == <region>
+
+    See https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/ for more
+
+OPTIONS
+	-r  AWS region
+
+	-s  Service (defaults to AMAZON if undefined)`
+}
+
+func (recv *AwsNetworkCmd) SubCommands() []cli.Command {
+	return nil
+}
+
+func (recv *AwsNetworkCmd) Execute(args []string) bool {
+	if len(args) > 0 {
+
+		var region, service string
+
+		flagSet := flag.NewFlagSet("", flag.ContinueOnError)
+		flagSet.StringVar(&region, "r", "", "")
+		flagSet.StringVar(&service, "s", "", "")
+		flagSet.Usage = func() {
+			fmt.Println(recv.LongHelp())
+		}
+		flagSet.Parse(args)
+
+		if !util.ValidRegion(region) {
+			return false
+		}
+
+		if service == "" {
+			service = "AMAZON"
+		}
+
+		log := logger.CLI()
+
+		res, err := http.Get("https://ip-ranges.amazonaws.com/ip-ranges.json")
+		if err != nil {
+			log.Error("http.Get", "Error", err)
+			os.Exit(1)
+		}
+		defer res.Body.Close()
+
+		ipList := IpList{}
+
+		err = json.NewDecoder(res.Body).Decode(&ipList)
+		if err != nil {
+			log.Error("json.Unmarshal", "Error", err)
+			os.Exit(1)
+		}
+
+		for _, prefix := range ipList.Prefixes {
+			if prefix.Region == region && prefix.Service == service {
+
+				fmt.Println(prefix.IPPrefix)
+			}
+		}
+
+		return true
+	}
+
+	return false
+}

commands/host/docker.go

@@ -207,6 +207,9 @@ func startContainers(environmentStr, regionStr, secretsS3Key string) {
 			// CIS Docker Benchmark 1.11.0 5.14
 			"--restart=on-failure:5",
 
+			// CIS Docker Benchmark 1.11.0 5.25
+			"--security-opt=no-new-privileges",
+
 			// set ulimit for container
 			// TODO calculate this
 			"--ulimit", "nofile=200000",

conf/conf.go

@@ -113,6 +113,7 @@ type (
 		ELBs                []*ELB             `yaml:"elbs"`
 		ELB                 string             `yaml:"elb"`
 		RoleARN             string             `yaml:"role_arn"`
+		AutoScalingGroup    *AutoScalingGroup  `yaml:"auto_scaling_group"`
 		SSLCertARN          string             `yaml:"ssl_cert_arn"`
 		HostedZoneName      string             `yaml:"hosted_zone_name"`
 		KeyPairName         string             `yaml:"key_pair_name"`
@@ -121,6 +122,18 @@ type (
 		Containers          []*Container       `yaml:"containers"`
 	}
 
+	AutoScalingGroup struct {
+		SecurityGroupEgress []SecurityGroupEgress `yaml:"security_group_egress"`
+	}
+
+	SecurityGroupEgress struct {
+		CidrIp                     string `yaml:"cidr_ip" json:"CidrIp,omitempty"`
+		FromPort                   int    `yaml:"from_port" json:"FromPort"`
+		IpProtocol                 string `yaml:"ip_protocol" json:"IpProtocol,omitempty"`
+		DestinationSecurityGroupId string `yaml:"destination_security_group_id" json:"DestinationSecurityGroupId,omitempty"`
+		ToPort                     int    `yaml:"to_port" json:"ToPort"`
+	}
+
 	AvailabilityZone struct {
 		Name     string `yaml:"name"`
 		SubnetID string `yaml:"subnet_id"`

docs/detailed_design/config-reference.md

@@ -26,6 +26,8 @@ For each field the following notation is used
     - [role_arn](#role_arn) (==1!)
     - [ssl_cert_arn](#ssl_cert_arn) (==1?)
     - [hosted_zone_name](#hosted_zone_name) (==1?)
+    - auto_scaling_group
+      - [security_group_egress](#security_group_egress) (==1?)
     - [key_pair_name](#key_pair_name) (==1?)
     - [s3_bucket](#s3_bucket) (==1!)
     - [sse_kms_key_id](#sse_kms_key_id) (==1!)
@@ -253,6 +255,68 @@ provisioned ELB's A record if provided
 This is typically used with `ssl_cert_arn` to create a developer stack that
 works with SSL.
 
+### security_group_egress
+
+Whitelist ASG egress rules. porter needs this config is needed for 3 reasons.
+
+(1) porter manages the security groups for a
+`AWS::AutoScaling::AutoScalingGroup`, (2) additional groups may be defined in a
+[custom CloudFormation template](cfn-customization.md), and (3)
+[the most permissive rule wins](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#vpc-security-groups):
+
+> If there is more than one rule for a specific port, we apply the most
+> permissive rule. For example, if you have a rule that allows access to TCP
+> port 22 (SSH) from IP address 203.0.113.1 and another rule that allows access
+> to TCP port 22 from everyone, everyone has access to TCP port 22.
+>
+> When you associate multiple security groups with an instance, the rules from
+> each security group are effectively aggregated to create one set of rules. We
+> use this set of rules to determine whether to allow access.
+
+These values overwrite every AutoScalingGroup's SecurityGroup's
+[SecurityGroupEgress property](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupegress)
+
+Example config
+
+```yaml
+environments:
+- name: dev
+
+  regions:
+  - name: us-west-2
+
+    auto_scaling_group:
+      security_group_egress:
+
+      # allow all DNS
+      - cidr_ip: 0.0.0.0/0
+        ip_protocol: udp
+        from_port: 53
+        to_port: 53
+
+      # allow all NTP
+      - cidr_ip: 0.0.0.0/0
+        ip_protocol: udp
+        from_port: 123
+        to_port: 123
+
+      # allow connections to AWS network in us-west-2
+      # accurate as of this writing
+      # run `porter help aws-network` for more
+      - cidr_ip: 54.231.160.0/19
+        ip_protocol: tcp
+        from_port: 0
+        to_port: 65535
+      - cidr_ip: 54.240.230.0/23
+        ip_protocol: tcp
+        from_port: 0
+        to_port: 65535
+      - cidr_ip: 54.240.248.0/21
+        ip_protocol: tcp
+        from_port: 0
+        to_port: 65535
+```
+
 ### key_pair_name
 
 key_pair_name is name of the SSH key pair that will be used to login to EC2