AWS和Terraform-安全组中的默认出口规则 [英] AWS and Terraform - Default egress rule in security group

问题描述

我在提供程序是AWS的许多Terraform项目中看到了可重复的配置:配置出站(出口)规则以允许所有出站流量.

据我了解，这是 AWS用户指南:

默认情况下，安全组包含一个允许所有出站流量的出站规则.您可以删除规则并添加仅允许特定出站流量的出站规则.如果您的安全组没有出站规则，则不允许来自您的实例的出站流量.

用于安全组的常见Terraform设置的示例-我的问题的重点是出口区块:

 资源"aws_security_group""my_sg" {名称="my_sg"description =一些描述"vpc_id ="$ {aws_vpc.my_vpc.id}"标签{名称="my_sg_tag"}#非冗余-因为新的安全组没有入站规则.入口{from_port ="80"to_port ="80"协议="TCP"cidr_blocks = ["0.0.0.0/0"]}#这不是多余的吗?出口{from_port = 0to_port = 0协议=-1"cidr_blocks = ["0.0.0.0/0"]}} 

此配置是出于文档目的还是出于技术原因?

解决方案

有关 aws_security_group 资源的文档特别指出，它们默认默认有意删除了AWS的默认出口规则，并要求用户指定该规则以限制给用户带来惊喜:

关于出口规则的注意:默认情况下，AWS在VPC内创建新的安全组时会创建ALLOW ALL出口规则.在VPC内创建新的安全组时，Terraform将删除该默认规则，并且如果您需要该规则，则要求您专门重新创建它.我们认为，这在控制您的出口规则方面会带来较少的惊喜.如果您希望此规则到位，则可以使用以下出口块:

 出口{from_port = 0to_port = 0协议=-1"cidr_blocks = ["0.0.0.0/0"]} 

这里还有一个技术/UX原因，因为要使Terraform了解对安全组进行更改时是否应保留允许所有出口"规则是很棘手的.除非指定了另一个出口规则，否则是否应该始终提供允许所有出口"规则，然后删除默认规则? aws_security_group_rule 的组合如何使用资源?

AWS已做出决定，允许所有出站出站的默认规则比没有 too 时没有它(让人们混淆其实例无法进行出站通信的原因)更好的用户体验.对安全性的影响很大(与入站的等效影响相比).即使现在他们要从中受益，改变主意，他们也将无法做到这一点，而不会大量破坏AWS不太愿意做的很多人的设置/工作流程.

另一方面，Terraform做出了相反的决定，该决定更适合该工具，并且稍微提高了该工具的安全性，但代价是使人们在许多地方定义了重复的出口街区

如果您特别在意重复，并且您确实一直希望允许所有出口流量，那么您可能会发现使用自动包含允许所有出口规则的模块很有用.

There is a repeatable configuration that I see in many Terraform projects where the provider is AWS: The configuration of an outbound (egress) rule to allow ALL outbound traffic.

As far as I understand, this is the default behavior in AWS as mentioned in the AWS user guide:

By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.

An example for a common Terraform setup for security group - The focus of my question is the egress block:

 resource "aws_security_group" "my_sg" {
       name        = "my_sg"
       description = "Some description"
       vpc_id      = "${aws_vpc.my_vpc.id}"
       tags {
         Name = "my_sg_tag"
       }

       #Not redundant - Because a new security group has no inbound rules.
       ingress {
         from_port   = "80"
         to_port     = "80"
         protocol    = "TCP"
         cidr_blocks = ["0.0.0.0/0"]
       }

       #Isn't this redundant?    
       egress {
         from_port   = 0
         to_port     = 0
         protocol    = "-1"
         cidr_blocks = ["0.0.0.0/0"]
       }
}

Is this configuration being made for documentation or does it have a technical reason?

解决方案

The documentation for the aws_security_group resource specifically states that they remove AWS' default egress rule intentionally by default and require users to specify it to limit surprises to users:

NOTE on Egress rules: By default, AWS creates an ALLOW ALL egress rule when creating a new Security Group inside of a VPC. When creating a new Security Group inside a VPC, Terraform will remove this default rule, and require you specifically re-create it if you desire that rule. We feel this leads to fewer surprises in terms of controlling your egress rules. If you desire this rule to be in place, you can use this egress block:

egress {
  from_port   = 0
  to_port     = 0
  protocol    = "-1"
  cidr_blocks = ["0.0.0.0/0"]
}

There's also a technical/UX reason here in that it would be tricky to make Terraform understand whether it should keep the allow all egress rule when making changes to the security group. Should it always provide the allow all egress rule unless another egress rule is specified and then if so remove the default? How would that work with the combination of the aws_security_group_rule resource?

AWS have made the decision that a default rule to allow all egress outbound is a nicer user experience than not having it (and confusing people as to why their instance is unable to communicate outbound) without too much of a security impact (compared to the equivalent for inbound). Even if they were to change their mind on the benefit of this now they would be unable to do this without massively breaking a lot of people's setups/workflows which AWS is very reluctant to do.

Terraform, on the other hand, has made the decision the other way and that suits the tool better as well as slightly improving the security posture of the tool at the expense of making people define a repeated egress block in a lot of places.

If you particularly care about the repetition and you do always want to allow all egress traffic then you might find it useful to use a module instead that automatically includes an allow all egress rule.

这篇关于AWS和Terraform-安全组中的默认出口规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！