Allow the cyhy and bod bastions egress over HTTPS

This adds two security group rules, each of which allows a respective bastion egress over HTTPS to anywhere. This will allow the bastions to perform automatic security updates as well as correctly push logs into AWS CloudWatch.
cisagov · Aug 14, 2023 · 77d165d · 77d165d
1 parent 13b5bfa
commit 77d165d
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/terraform/README.md b/terraform/README.md
@@ -483,6 +483,7 @@ terraform apply -var-file=<your_workspace>.tfvars
 | [aws_security_group_rule.bod_bastion_egress_all_icmp_to_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.bod_bastion_egress_all_tcp_to_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.bod_bastion_egress_all_udp_to_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.bod_bastion_https_egress_to_anywhere](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.bod_bastion_ingress_all_icmp_from_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.bod_bastion_ingress_all_tcp_from_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.bod_bastion_ingress_all_udp_from_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
@@ -495,6 +496,7 @@ terraform apply -var-file=<your_workspace>.tfvars
 | [aws_security_group_rule.cyhy_bastion_egress_all_icmp_to_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.cyhy_bastion_egress_all_tcp_to_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.cyhy_bastion_egress_all_udp_to_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.cyhy_bastion_https_egress_to_anywhere](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.cyhy_bastion_ingress_all_icmp_from_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.cyhy_bastion_ingress_all_tcp_from_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.cyhy_bastion_ingress_all_udp_from_mgmt_vulnscan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

diff --git a/terraform/bod_bastion_security_group_rules.tf b/terraform/bod_bastion_security_group_rules.tf
@@ -26,6 +26,16 @@ resource "aws_security_group_rule" "bastion_self_ssh" {
   to_port   = 22
 }
 
+# Allow HTTPS egress anywhere
+resource "aws_security_group_rule" "bod_bastion_https_egress_to_anywhere" {
+  security_group_id = aws_security_group.bod_bastion_sg.id
+  type              = "egress"
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 443
+  to_port           = 443
+}
+
 # Allow ssh egress to the docker security group
 resource "aws_security_group_rule" "bastion_ssh_to_docker" {
   security_group_id        = aws_security_group.bod_bastion_sg.id

diff --git a/terraform/cyhy_bastion_security_group_rules.tf b/terraform/cyhy_bastion_security_group_rules.tf
@@ -40,6 +40,16 @@ resource "aws_security_group_rule" "bastion_self_egress" {
   to_port   = 22
 }
 
+# Allow HTTPS egress anywhere
+resource "aws_security_group_rule" "cyhy_bastion_https_egress_to_anywhere" {
+  security_group_id = aws_security_group.cyhy_bastion_sg.id
+  type              = "egress"
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 443
+  to_port           = 443
+}
+
 # Allow egress via ssh to the private security group
 resource "aws_security_group_rule" "bastion_egress_to_private_sg_via_ssh" {
   security_group_id        = aws_security_group.cyhy_bastion_sg.id