Security Groups - add permissionΒΆ

The following example policy will automatically create a CloudWatch Event Rule triggered Lambda function in your account and region which will be triggered anytime a user creates or modifies a security group. This provides near real-time auto-remediation action (typically within a minute) of the security group change. Having such a quick auto-remediation action greatly reduces any attack window! User defined rule is added to the filtered results.

  - name: sg-add-permission
    resource: security-group
    description: |
      Add rule to a security group. Filter any security group that
      allows or ::/0 (IPv6) ingress on port 22, remove
      the rule and add user defined sg rule
        type: cloudtrail
          - source:
            event: AuthorizeSecurityGroupIngress
            ids: "responseElements.securityGroupRuleSet.items[].groupId"
          - source:
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
       - or:
             - type: ingress
               IpProtocol: "-1"
               Ports: [22]
               Cidr: ""
             - type: ingress
               IpProtocol: "-1"
               Ports: [22]
               CidrV6: "::/0"
      - type: set-permissions
        # remove the permission matched by a previous ingress filter.
        remove-ingress: matched
        # add a list of permissions to the group.
          # full syntax/parameters to authorize can be used.
          - IpPermissions:
            - IpProtocol: TCP
              FromPort: 22
              ToPort: 22
                - Description: Ops SSH Access
                  CidrIp: ""
                - Description: Security SSH Access
                  CidrIp: ""