-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathoperations_acl_rules.tf
227 lines (204 loc) · 7.59 KB
/
operations_acl_rules.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
# Allow ingress from private subnet via ssh
#
# For: DevOps ssh access from private subnet to operations subnet.
# This is also necessary so that the Terraformer instance can
# configure instances in the operations subnet via Ansible.
resource "aws_network_acl_rule" "operations_ingress_from_private_via_ssh" {
provider = aws.provisionassessment
for_each = toset(var.private_subnet_cidr_blocks)
cidr_block = aws_subnet.private[each.value].cidr_block
egress = false
from_port = 22
network_acl_id = aws_network_acl.operations.id
protocol = "tcp"
rule_action = "allow"
rule_number = 100 + index(var.private_subnet_cidr_blocks, each.value)
to_port = 22
}
# Allow ingress from private subnet via port 5986 (Windows Remote
# Management).
#
# For: This is necessary so that the Terraformer instance can
# configure Windows instances in the operations subnet via Ansible.
resource "aws_network_acl_rule" "operations_ingress_from_private_via_winrm" {
provider = aws.provisionassessment
for_each = toset(var.private_subnet_cidr_blocks)
cidr_block = aws_subnet.private[each.value].cidr_block
egress = false
from_port = 5986
network_acl_id = aws_network_acl.operations.id
protocol = "tcp"
rule_action = "allow"
rule_number = 110 + index(var.private_subnet_cidr_blocks, each.value)
to_port = 5986
}
# Disallow ingress from anywhere else via port 5986 (Windows Remote
# Management).
resource "aws_network_acl_rule" "operations_ingress_from_anywhere_else_winrm" {
provider = aws.provisionassessment
cidr_block = "0.0.0.0/0"
egress = false
from_port = 5986
network_acl_id = aws_network_acl.operations.id
protocol = "tcp"
rule_action = "deny"
rule_number = 115
to_port = 5986
}
# Allow ingress from private subnet via VNC
#
# For: Assessment team VNC access from private subnet to operations.
# subnet
resource "aws_network_acl_rule" "operations_ingress_from_private_via_vnc" {
provider = aws.provisionassessment
for_each = toset(var.private_subnet_cidr_blocks)
cidr_block = aws_subnet.private[each.value].cidr_block
egress = false
from_port = 5901
network_acl_id = aws_network_acl.operations.id
protocol = "tcp"
rule_action = "allow"
rule_number = 120 + index(var.private_subnet_cidr_blocks, each.value)
to_port = 5901
}
# Disallow ingress from anywhere else via VNC.
resource "aws_network_acl_rule" "operations_ingress_from_anywhere_else_vnc" {
provider = aws.provisionassessment
cidr_block = "0.0.0.0/0"
egress = false
from_port = 5901
network_acl_id = aws_network_acl.operations.id
protocol = "tcp"
rule_action = "deny"
rule_number = 125
to_port = 5901
}
# Allow ingress from the private subnets via port 80. This is
# necessary so that the Terraformer instance can install packages via
# the NAT gateway.
resource "aws_network_acl_rule" "operations_ingress_from_private_via_http" {
provider = aws.provisionassessment
for_each = toset(var.private_subnet_cidr_blocks)
cidr_block = aws_subnet.private[each.value].cidr_block
egress = false
from_port = 80
network_acl_id = aws_network_acl.operations.id
protocol = "tcp"
rule_action = "allow"
rule_number = 130 + index(var.private_subnet_cidr_blocks, each.value)
to_port = 80
}
# Allow ingress from the private subnets via port 443. This is
# necessary so that the Terraformer instance can perform a terraform
# init via the NAT gateway.
resource "aws_network_acl_rule" "operations_ingress_from_private_via_https" {
provider = aws.provisionassessment
for_each = toset(var.private_subnet_cidr_blocks)
cidr_block = aws_subnet.private[each.value].cidr_block
egress = false
from_port = 443
network_acl_id = aws_network_acl.operations.id
protocol = "tcp"
rule_action = "allow"
rule_number = 140 + index(var.private_subnet_cidr_blocks, each.value)
to_port = 443
}
# Allow ingress from anywhere via the ports specified in
# var.inbound_ports_allowed
#
# For: Assessment team operational use
resource "aws_network_acl_rule" "operations_ingress_from_anywhere_via_allowed_ports" {
provider = aws.provisionassessment
for_each = local.union_of_inbound_ports_allowed
cidr_block = "0.0.0.0/0"
egress = false
from_port = each.value.from_port
network_acl_id = aws_network_acl.operations.id
protocol = each.value.protocol
rule_action = "allow"
rule_number = 150 + each.value.index
to_port = each.value.to_port
}
# Allow ingress from anywhere via ephemeral TCP/UDP ports below 3389
# (1024-3388)
#
# For: Assessment team operational use, but we don't want to allow
# public access to RDP on port 3389.
resource "aws_network_acl_rule" "operations_ingress_from_anywhere_via_ports_1024_thru_3388" {
provider = aws.provisionassessment
for_each = toset(local.tcp_and_udp)
cidr_block = "0.0.0.0/0"
egress = false
from_port = 1024
network_acl_id = aws_network_acl.operations.id
protocol = each.value
rule_action = "allow"
rule_number = 170 + index(local.tcp_and_udp, each.value)
to_port = 3388
}
# Allow ingress from anywhere via ephemeral TCP/UDP ports 3390-50049.
#
# For: Assessment team operational use, but we don't want to allow
# public access to RDP on port 3389 or Cobalt Strike Teamservers on port 50050.
#
# We can skip the VNC and WinRM ports as they are blocked by rules above.
resource "aws_network_acl_rule" "operations_ingress_from_anywhere_via_ports_3390_thru_50049" {
provider = aws.provisionassessment
for_each = toset(local.tcp_and_udp)
cidr_block = "0.0.0.0/0"
egress = false
from_port = 3390
network_acl_id = aws_network_acl.operations.id
protocol = each.value
rule_action = "allow"
rule_number = 180 + index(local.tcp_and_udp, each.value)
to_port = 50049
}
# Allow ingress from anywhere via ephemeral TCP/UDP ports 50051-65535.
#
# For: Assessment team operational use, but we don't want to allow
# public access to Cobalt Strike Teamservers on port 50050.
resource "aws_network_acl_rule" "operations_ingress_from_anywhere_via_ports_50051_thru_65535" {
provider = aws.provisionassessment
for_each = toset(local.tcp_and_udp)
cidr_block = "0.0.0.0/0"
egress = false
from_port = 50051
network_acl_id = aws_network_acl.operations.id
protocol = each.value
rule_action = "allow"
rule_number = 200 + index(local.tcp_and_udp, each.value)
to_port = 65535
}
# Allow ingress from anywhere via ICMP
#
# For: Assessment team operational use (e.g. ping responses)
resource "aws_network_acl_rule" "operations_ingress_from_anywhere_via_icmp" {
provider = aws.provisionassessment
cidr_block = "0.0.0.0/0"
egress = false
icmp_code = -1
icmp_type = -1
network_acl_id = aws_network_acl.operations.id
protocol = "icmp"
rule_action = "allow"
rule_number = 210
}
# Allow egress to anywhere via any protocol and port
#
# For: Assessment team operational use
#
# Note that this also covers the return traffic when the Terraformer
# instance performs a terraform init or installs packages via the NAT
# gateway in the operations subnet.
resource "aws_network_acl_rule" "operations_egress_to_anywhere_via_any_port" {
provider = aws.provisionassessment
cidr_block = "0.0.0.0/0"
egress = true
from_port = 0
network_acl_id = aws_network_acl.operations.id
protocol = "-1"
rule_action = "allow"
rule_number = 300
to_port = 0
}