The base aspect properties available to any aspect.
JSII doesn't support an Omit when extending interfaces, so we create a base class to extend from. This base class meets the needed properties for all non-base aspects.
import { AspectPropsBase } from '@renovosolutions/cdk-aspects-library-security-group'
const aspectPropsBase: AspectPropsBase = { ... }public readonly annotationText: string;- Type:
string
The annotation text to use for the annotation.
public readonly annotationType: AnnotationType;The annotation type to use for the annotation.
The extended aspect properties available only to the base security aspects.
These additional properties shouldn't be changed in aspects that already have clearly defined goals. So, this extended properties interface is applied selectively to the base aspects.
import { AspectPropsExtended } from '@renovosolutions/cdk-aspects-library-security-group'
const aspectPropsExtended: AspectPropsExtended = { ... }public readonly annotationText: string;- Type:
string
The annotation text to use for the annotation.
public readonly annotationType: AnnotationType;The annotation type to use for the annotation.
public readonly anySource: boolean;- Type:
boolean - Default: false
Whether any source is valid.
This will ignore all other restrictions and only check the port.
public readonly ports: number[];- Type:
number[] - Default: undefined
The restricted port.
Defaults to restricting all ports and only checking sources.
public readonly restrictedCidrs: string[];- Type:
string[] - Default: ['0.0.0.0/0', '::/0']
The restricted CIDRs for the given port.
public readonly restrictedSGs: string[];- Type:
string[] - Default: undefined
The restricted source security groups for the given port.
The arguments for the checkRules function.
Extends the IAspectPropsBase interface which includes additional properties that can be used as args.
import { RuleCheckArgs } from '@renovosolutions/cdk-aspects-library-security-group'
const ruleCheckArgs: RuleCheckArgs = { ... }public readonly annotationText: string;- Type:
string
The annotation text to use for the annotation.
public readonly annotationType: AnnotationType;The annotation type to use for the annotation.
public readonly anySource: boolean;- Type:
boolean - Default: false
Whether any source is valid.
This will ignore all other restrictions and only check the port.
public readonly ports: number[];- Type:
number[] - Default: undefined
The restricted port.
Defaults to restricting all ports and only checking sources.
public readonly restrictedCidrs: string[];- Type:
string[] - Default: ['0.0.0.0/0', '::/0']
The restricted CIDRs for the given port.
public readonly restrictedSGs: string[];- Type:
string[] - Default: undefined
The restricted source security groups for the given port.
public readonly node: IConstruct;- Type:
constructs.IConstruct
The node to check.
Restricted common ports based on AWS Config rule https://docs.aws.amazon.com/config/latest/developerguide/restricted-common-ports.html.
import { AWSRestrictedCommonPortsAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new AWSRestrictedCommonPortsAspect(props?: AspectPropsBase)CIS AWS Foundations Benchmark 4.1.
CIS recommends that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.
This aspect uses the NoPublicIngressSSHAspect with an alternate annotation text.
import { CISAwsFoundationBenchmark4Dot1Aspect } from '@renovosolutions/cdk-aspects-library-security-group'
new CISAwsFoundationBenchmark4Dot1Aspect(props?: AspectPropsBase)CIS AWS Foundations Benchmark 4.2.
CIS recommends that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.
This aspect uses the NoPublicIngressRDPAspect with an alternate annotation text.
import { CISAwsFoundationBenchmark4Dot2Aspect } from '@renovosolutions/cdk-aspects-library-security-group'
new CISAwsFoundationBenchmark4Dot2Aspect(props?: AspectPropsBase)Aspect to restrict any access to common management ports.
22 - SSH 3389 - RDP 5985 - WinRM 5986 - WinRM HTTPS
import { NoIngressCommonManagementPortsAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new NoIngressCommonManagementPortsAspect(props?: AspectPropsBase)Aspect to restrict any access to common relational DB ports.
3306 - MySQL 5432 - PostgreSQL 1521 - Oracle 1433 - SQL Server
import { NoIngressCommonRelationalDBPortsAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new NoIngressCommonRelationalDBPortsAspect(props?: AspectPropsBase)Aspect to restrict any access to common web ports.
80 - HTTP 443 - HTTPS 8080 - HTTP 8443 - HTTPS
import { NoIngressCommonWebPortsAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new NoIngressCommonWebPortsAspect(props?: AspectPropsBase)- Implements:
aws-cdk-lib.IAspect
The same as the base NoPublicIngressAspectBase but with a more descriptive annotation.
Blocks the ANY port from the public internet.
import { NoPublicIngressAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new NoPublicIngressAspect(props?: AspectPropsBase)- Implements:
aws-cdk-lib.IAspect
The base aspect to determine if a security group allows inbound traffic from the public internet to any port.
This inherits everything from the base SecurityGroupAspectBase class and sets a default set of CIDRS that match allowing all IPs on AWS.
import { NoPublicIngressAspectBase } from '@renovosolutions/cdk-aspects-library-security-group'
new NoPublicIngressAspectBase(props?: AspectPropsBase)Aspect to restrict public access to common management ports.
22 - SSH 3389 - RDP 5985 - WinRM 5986 - WinRM HTTPS
import { NoPublicIngressCommonManagementPortsAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new NoPublicIngressCommonManagementPortsAspect(props?: AspectPropsBase)Aspect to restrict public access to common relational DB ports.
3306 - MySQL 5432 - PostgreSQL 1521 - Oracle 1433 - SQL Server
import { NoPublicIngressCommonRelationalDBPortsAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new NoPublicIngressCommonRelationalDBPortsAspect(props?: AspectPropsBase)Aspect to restrict public access to common web ports.
80 - HTTP 443 - HTTPS 8080 - HTTP 8443 - HTTPS
import { NoPublicIngressCommonWebPortsAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new NoPublicIngressCommonWebPortsAspect(props?: AspectPropsBase)Aspect to determine if a security group allows inbound traffic from the public internet to the RDP port.
import { NoPublicIngressRDPAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new NoPublicIngressRDPAspect(props?: AspectPropsBase)Aspect to determine if a security group allows inbound traffic from the public internet to the SSH port.
import { NoPublicIngressSSHAspect } from '@renovosolutions/cdk-aspects-library-security-group'
new NoPublicIngressSSHAspect(props?: AspectPropsBase)- Implements:
aws-cdk-lib.IAspect
The base class for all security group aspects in the library.
By default this will not restrict anything.
import { SecurityGroupAspectBase } from '@renovosolutions/cdk-aspects-library-security-group'
new SecurityGroupAspectBase(props?: AspectPropsExtended)public visit(node: IConstruct)- Type:
constructs.IConstruct
public readonly annotationText: string;- Type:
string
public readonly annotationType: AnnotationType;public readonly anySource: boolean;- Type:
boolean
public readonly ports: number[];- Type:
number[]
public readonly restrictedCidrs: string[];- Type:
string[]
public readonly restrictedSGs: string[];- Type:
string[]
The supported annotation types.
Only error will stop deployment of restricted resources.