in security/swift_security.py [0:0]
def enforce_security_groups_rules(self) -> None:
"""enforcing security group rule. ie creating security group rule """
sagsnl_sg = self.get_security_group(SwiftComponents.SAGSNL + "SG")
rds_sg = self.get_security_group("RDSSG")
mq_sg = self.get_security_group("MQSG")
amh_sg = self.get_security_group(SwiftComponents.AMH + "SG")
boto = boto3.client("ec2")
prefix_lists = boto.describe_prefix_lists(
Filters=[{"Name": "prefix-list-name", "Values": ["com.amazonaws.*.s3"]}])
s3_prefix_list = prefix_lists["PrefixLists"][0]["PrefixListId"]
sagsnl_sg.connections.allow_from(other=amh_sg,
port_range=_ec2.Port(
protocol=_ec2.Protocol.TCP,
string_representation="SAGSNL- AMH (48002,48003)",
from_port=48002,
to_port=48003
),
description="Incoming connection from AMH")
self.add_security_group_rule(SwiftComponents.SAGSNL + "SG", protocol=_ec2.Protocol.TCP,
cidr_range=self._workstation_ip_range,
from_port=2443, to_port=2443, is_ingress=True,
description="SWP Web GUI Interface Ingress from workstation"
)
self.add_security_group_rule(SwiftComponents.SAGSNL + "SG", protocol=_ec2.Protocol.TCP,
prefix_list=s3_prefix_list,
from_port=443, to_port=443, is_ingress=False,
description="Egress to S3 VPC Gateway Endpoint"
)
self.add_security_group_rule(SwiftComponents.SAGSNL + "SG", protocol=_ec2.Protocol.ALL,
cidr_range=self._swift_ip_range,
from_port=0, to_port=65535, is_ingress=False,
description="To SWIFT via VGW and VPN"
)
self.add_security_group_rule(SwiftComponents.SAGSNL + "SG", protocol=_ec2.Protocol.TCP,
cidr_range=self._hsm_ip,
from_port=1792, to_port=1792, is_ingress=False,
description="To HSM via VGW"
)
self.add_security_group_rule(SwiftComponents.SAGSNL + "SG", protocol=_ec2.Protocol.TCP,
cidr_range=self._hsm_ip,
from_port=22, to_port=22, is_ingress=False,
description="To HSM (SSH) via VGW"
)
self.add_security_group_rule(SwiftComponents.SAGSNL + "SG", protocol=_ec2.Protocol.TCP,
cidr_range=self._hsm_ip,
from_port=48321, to_port=48321, is_ingress=False,
description="TO HSM (Remote PED) via VGW "
)
amh_sg.connections.allow_to(other=sagsnl_sg,
port_range=_ec2.Port(
protocol=_ec2.Protocol.TCP,
string_representation="AMH - SAGSNL (48002, 48003)",
from_port=48002,
to_port=48003
),
description="AMH to SAGSNL connection")
amh_sg.connections.allow_to(other=rds_sg,
port_range=_ec2.Port(
protocol=_ec2.Protocol.TCP,
string_representation="RDS (1521)",
from_port=1521,
to_port=1521
),
description="AMH - RDS (1521)")
amh_sg.connections.allow_to(other=mq_sg,
port_range=_ec2.Port(
protocol=_ec2.Protocol.TCP,
string_representation="MQ (61617)",
from_port=61617,
to_port=61617
),
description="AMH - MQ (61617)")
self.add_security_group_rule(SwiftComponents.AMH + "SG", protocol=_ec2.Protocol.TCP,
prefix_list=s3_prefix_list,
from_port=443, to_port=443,
is_ingress=False,
description="AMH Egress to S3"
)
self.add_security_group_rule(SwiftComponents.AMH + "SG", protocol=_ec2.Protocol.TCP,
cidr_range=self._workstation_ip_range,
from_port=8443, to_port=8443, is_ingress=True
)
rds_sg.connections.allow_from(other=amh_sg,
port_range=_ec2.Port(
protocol=_ec2.Protocol.TCP,
string_representation="RDS (1521)",
from_port=1521,
to_port=1521
),
description="AMH - RDS (1521)")
mq_sg.connections.allow_from(other=amh_sg,
port_range=_ec2.Port(
protocol=_ec2.Protocol.TCP,
string_representation="MQ (61617)",
from_port=61617,
to_port=61617
),
description="AMH - MQ (61617)")
self.add_security_group_rule("MQSG", protocol=_ec2.Protocol.TCP,
cidr_range=self._workstation_ip_range,
from_port=8162, to_port=8162, is_ingress=True
)