Network Security with CloudFormation

Network security is a critical aspect of cloud infrastructure, and CloudFormation provides powerful tools to define and manage secure network architectures. This guide explores key considerations for implementing network security using CloudFormation, focusing on best practices, common pitfalls, and practical remediation steps.

book gomboc demoFix my Terraform!Fix my cloudformation!

Network Security with CloudFormation

Heading 2

Missing VPC Configurations

The Problem

Inadequate VPC configurations can lead to network isolation issues, exposing resources to unnecessary risks and potential breaches.

Code Examples

Bad Practice

1Resources:
2  MyEC2Instance:
3    Type: AWS::EC2::Instance
4    Properties:
5      InstanceType: t2.micro
6      ImageId: ami-0c55b159cbfafe1f0

Good Practice

1Resources:
2  MyVPC:
3    Type: AWS::EC2::VPC
4    Properties:
5      CidrBlock: 10.0.0.0/16
6      EnableDnsHostnames: true
7      EnableDnsSupport: true
8      InstanceTenancy: default
9      Tags:
10        - Key: Name
11          Value: MySecureVPC
12
13  MyPrivateSubnet:
14    Type: AWS::EC2::Subnet
15    Properties:
16      VpcId: !Ref MyVPC
17      CidrBlock: 10.0.1.0/24
18      AvailabilityZone: !Select [ 0, !GetAZs '' ]
19      Tags:
20        - Key: Name
21          Value: MyPrivateSubnet
22
23  MyEC2Instance:
24    Type: AWS::EC2::Instance
25    Properties:
26      InstanceType: t2.micro
27      ImageId: ami-0c55b159cbfafe1f0
28      SubnetId: !Ref MyPrivateSubnet

Secure Patterns

  • Always define a custom VPC with appropriate CIDR blocks.
  • Implement private subnets for resources that don't need direct internet access.
  • Use multi-AZ architecture for high availability and improved security.

Improper Security Group Rules

The Problem

Overly permissive or misconfigured security group rules can expose resources to unauthorized access and potential attacks.

Code Examples

Bad Practice

1MySecurityGroup:
2  Type: AWS::EC2::SecurityGroup
3  Properties:
4    GroupDescription: Allow all inbound traffic
5    SecurityGroupIngress:
6      - IpProtocol: -1
7        FromPort: -1
8        ToPort: -1
9        CidrIp: 0.0.0.0/0

Good Practice

1MySecurityGroup:
2  Type: AWS::EC2::SecurityGroup
3  Properties:
4    GroupDescription: Allow specific inbound traffic
5    SecurityGroupIngress:
6      - IpProtocol: tcp
7        FromPort: 22
8        ToPort: 22
9        CidrIp: 10.0.0.0/24
10      - IpProtocol: tcp
11        FromPort: 80
12        ToPort: 80
13        CidrIp: 0.0.0.0/0
14    SecurityGroupEgress:
15      - IpProtocol: -1
16        FromPort: -1
17        ToPort: -1
18        CidrIp: 0.0.0.0/0

Secure Patterns

  • Implement the principle of least privilege by allowing only necessary inbound traffic.
  • Use specific IP ranges and port numbers instead of allowing all traffic.
  • Regularly review and update security group rules to ensure they align with current requirements.

Public Subnet Misuse

The Problem

Placing sensitive resources in public subnets unnecessarily exposes them to the internet, increasing the attack surface.

Code Examples

Bad Practice

1Resources:
2  MyPublicSubnet:
3    Type: AWS::EC2::Subnet
4    Properties:
5      VpcId: !Ref MyVPC
6      CidrBlock: 10.0.1.0/24
7      MapPublicIpOnLaunch: true
8
9  MyDatabase:
10    Type: AWS::RDS::DBInstance
11    Properties:
12      DBName: MyDatabase
13      Engine: mysql
14      MasterUsername: admin
15      MasterUserPassword: password123
16      DBInstanceClass: db.t2.micro
17      AllocatedStorage: 20
18      PubliclyAccessible: true
19      DBSubnetGroupName: !Ref MyPublicSubnetGroup

Good Practice

1Resources:
2  MyPrivateSubnet1:
3    Type: AWS::EC2::Subnet
4    Properties:
5      VpcId: !Ref MyVPC
6      CidrBlock: 10.0.1.0/24
7      MapPublicIpOnLaunch: false
8
9  MyPrivateSubnet2:
10    Type: AWS::EC2::Subnet
11    Properties:
12      VpcId: !Ref MyVPC
13      CidrBlock: 10.0.2.0/24
14      MapPublicIpOnLaunch: false
15
16  MyDatabase:
17    Type: AWS::RDS::DBInstance
18    Properties:
19      DBName: MyDatabase
20      Engine: mysql
21      MasterUsername: !Ref DBUsername
22      MasterUserPassword: !Ref DBPassword
23      DBInstanceClass: db.t2.micro
24      AllocatedStorage: 20
25      PubliclyAccessible: false
26      DBSubnetGroupName: !Ref MyPrivateSubnetGroup
27
28  MyPrivateSubnetGroup:
29    Type: AWS::RDS::DBSubnetGroup
30    Properties:
31      DBSubnetGroupDescription: Subnet group for private database
32      SubnetIds:
33        - !Ref MyPrivateSubnet1
34        - !Ref MyPrivateSubnet2

Secure Patterns

  • Use private subnets for sensitive resources like databases.
  • Implement a bastion host or VPN for secure access to private resources.
  • Utilize NAT gateways for outbound internet access from private subnets.

Practical Remediation Steps

1. Immediate Actions

  • Conduct a comprehensive audit of existing CloudFormation templates to identify network security misconfigurations.
  • Implement VPC Flow Logs to monitor and analyze network traffic patterns.
  • Review and update all security group rules, removing any overly permissive configurations.
  • Ensure all sensitive resources are moved to private subnets and are not publicly accessible.

2. Long-term Strategy

  • Implement a IaC security solution like Gomboc AI
  • Regularly update and patch CloudFormation resources to address newly discovered vulnerabilities.
  • Implement drift detection and automated remediation to ensure deployed resources match their intended configurations6
  • Develop and enforce organizational policies for secure CloudFormation template development, including guidelines for parameter constraints, secret management, and access control3
  • Provide ongoing training and education for development and operations teams on CloudFormation security best practices and AWS security services integration3

By following these best practices and implementing a comprehensive security strategy, you can significantly enhance the security posture of your CloudFormation stack permissions. Remember that security is an ongoing process, requiring continuous monitoring, improvement, and adaptation to new threats and best practices.

Effective management of stack permissions in CloudFormation is crucial for maintaining a secure and compliant infrastructure as code environment. By addressing issues such as excessive IAM permissions, missing resource-level permissions, and uncontrolled cross-stack references, organizations can significantly reduce their security risks and improve their overall cloud governance.

Citations:
[1] https://blog.devops.dev/aws-cloudformation-security-best-practices-a-comprehensive-guide-921670978e2c?gi=c980a7141ed0
[2] https://www.jit.io/resources/devsecops/6-steps-to-configure-cloudformation-security-groups
[3] https://www.strongdm.com/blog/aws-iam-best-practices
[4] https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_secret.html
[5] https://tutorialsdojo.com/different-ways-of-passing-parameters-securely-in-cloudformation/
[6] https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/
[7] https://d1.awsstatic.com/SMB/aws-security-hub-automated-response-and-remediation-implementation-guide-smb-security-resource.pdf
[8] https://www.aquasec.com/blog/cloudformation-templates-scan-with-trivy/
[9] https://cycode.com/blog/aws-cloudformation-security-8-best-practices/