Security Groups - add permissionΒΆ

The following example policy will automatically create a CloudWatch Event Rule triggered Lambda function in your account and region which will be triggered anytime a user creates or modifies a security group. This provides near real-time auto-remediation action (typically within a minute) of the security group change. Having such a quick auto-remediation action greatly reduces any attack window! User defined rule is added to the filtered results.

policies:
  - name: sg-add-permission
    resource: security-group
    description: |
      Add rule to a security group. Filter any security group that
      allows 0.0.0.0/0 or ::/0 (IPv6) ingress on port 22, remove
      the rule and add user defined sg rule
    mode:
        type: cloudtrail
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "responseElements.securityGroupRuleSet.items[].groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
       - or:
             - type: ingress
               IpProtocol: "-1"
               Ports: [22]
               Cidr: "0.0.0.0/0"
             - type: ingress
               IpProtocol: "-1"
               Ports: [22]
               CidrV6: "::/0"
    actions:
      - type: set-permissions
        # remove the permission matched by a previous ingress filter.
        remove-ingress: matched
        # add a list of permissions to the group.
        add-ingress:
          # full syntax/parameters to authorize can be used.
          - IpPermissions:
            - IpProtocol: TCP
              FromPort: 22
              ToPort: 22
              IpRanges:
                - Description: Ops SSH Access
                  CidrIp: "1.1.1.1/32"
                - Description: Security SSH Access
                  CidrIp: "2.2.2.2/32"