[Test] Remove webserver security group

[jameslaneovermind]

This was assigned to a EC2 instance in the AWS console not via Terraform. Therefore we should see a risk warning us this is used.

[github-actions]

Expected Changes

No expected changes found.

Unmapped Changes

Note

These changes couldn't be mapped to a real cloud resource and therefore won't be included in the blast radius calculation.

ec2-security-group › module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_rules[0]

--- current
+++ planned
@@ -1,15 +1 @@
-cidr_blocks:
-    - 10.10.0.0/16
-description: HTTPS
-from_port: 443
-id: sgrule-3305719298
-ipv6_cidr_blocks: []
-prefix_list_ids: []
-protocol: tcp
-security_group_id: sg-058546297f49dc2ce
-security_group_rule_id: sgr-03b6304ce0f2453c4
-self: false
-terraform_address: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_rules[0]
-terraform_name: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_rules[0]
-to_port: 443
-type: ingress

ec2-security-group › module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_rules[0]

--- current
+++ planned
@@ -1,15 +1 @@
-cidr_blocks:
-    - 10.10.0.0/16
-description: HTTPS
-from_port: 443
-id: sgrule-3305719298
-ipv6_cidr_blocks: []
-prefix_list_ids: []
-protocol: tcp
-security_group_id: sg-058546297f49dc2ce
-security_group_rule_id: sgr-03b6304ce0f2453c4
-self: false
-terraform_address: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_rules[0]
-terraform_name: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_rules[0]
-to_port: 443
-type: ingress

ec2-security-group › module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[0]

--- current
+++ planned
@@ -1,14 +1 @@
-cidr_blocks:
-    - 10.10.0.0/16
-description: User-service ports
-from_port: 8080
-id: sgrule-2564654635
-prefix_list_ids: []
-protocol: tcp
-security_group_id: sg-058546297f49dc2ce
-security_group_rule_id: sgr-0f71d41686df0afda
-self: false
-terraform_address: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[0]
-terraform_name: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[0]
-to_port: 8090
-type: ingress

ec2-security-group › module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[0]

--- current
+++ planned
@@ -1,14 +1 @@
-cidr_blocks:
-    - 10.10.0.0/16
-description: User-service ports
-from_port: 8080
-id: sgrule-2564654635
-prefix_list_ids: []
-protocol: tcp
-security_group_id: sg-058546297f49dc2ce
-security_group_rule_id: sgr-0f71d41686df0afda
-self: false
-terraform_address: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[0]
-terraform_name: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[0]
-to_port: 8090
-type: ingress

ec2-security-group › module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[1]

--- current
+++ planned
@@ -1,14 +1 @@
-cidr_blocks:
-    - 0.0.0.0/0
-description: Ingress Rule
-from_port: 5432
-id: sgrule-1928904550
-prefix_list_ids: []
-protocol: tcp
-security_group_id: sg-058546297f49dc2ce
-security_group_rule_id: sgr-02af6be8521877f96
-self: false
-terraform_address: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[1]
-terraform_name: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[1]
-to_port: 5432
-type: ingress

ec2-security-group › module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[1]

--- current
+++ planned
@@ -1,14 +1 @@
-cidr_blocks:
-    - 0.0.0.0/0
-description: Ingress Rule
-from_port: 5432
-id: sgrule-1928904550
-prefix_list_ids: []
-protocol: tcp
-security_group_id: sg-058546297f49dc2ce
-security_group_rule_id: sgr-02af6be8521877f96
-self: false
-terraform_address: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[1]
-terraform_name: module.loom[0].module.web_server_security_group.aws_security_group_rule.ingress_with_cidr_blocks[1]
-to_port: 5432
-type: ingress

ec2-security-group › module.loom[0].module.web_server_security_group.aws_security_group.this_name_prefix[0]

--- current
+++ planned
@@ -1,49 +1 @@
-arn: arn:aws:ec2:eu-west-2:540044833068:security-group/sg-058546297f49dc2ce
-description: Security group for web server instances
-egress: []
-id: sg-058546297f49dc2ce
-ingress:
-    - cidr_blocks:
-        - 0.0.0.0/0
-      description: Ingress Rule
-      from_port: 5432
-      ipv6_cidr_blocks: []
-      prefix_list_ids: []
-      protocol: tcp
-      security_groups: []
-      self: false
-      to_port: 5432
-    - cidr_blocks:
-        - 10.10.0.0/16
-      description: HTTPS
-      from_port: 443
-      ipv6_cidr_blocks: []
-      prefix_list_ids: []
-      protocol: tcp
-      security_groups: []
-      self: false
-      to_port: 443
-    - cidr_blocks:
-        - 10.10.0.0/16
-      description: User-service ports
-      from_port: 8080
-      ipv6_cidr_blocks: []
-      prefix_list_ids: []
-      protocol: tcp
-      security_groups: []
-      self: false
-      to_port: 8090
-name: web_server_security_group-20240229141958688100000001
-name_prefix: web_server_security_group-
-owner_id: "540044833068"
-revoke_rules_on_delete: false
-tags:
-    Name: web_server_security_group
-tags_all:
-    Name: web_server_security_group
-terraform_address: module.loom[0].module.web_server_security_group.aws_security_group.this_name_prefix[0]
-terraform_name: module.loom[0].module.web_server_security_group.aws_security_group.this_name_prefix[0]
-timeouts:
-    create: 10m
-    delete: 15m
-vpc_id: vpc-04eb3a738ef8488db

Blast Radius

Items	Edges
0	0

Open in Overmind

Risks

Loss of Access Control and Communication Interruption [High]

Removing the security group web_server_security_group will result in loss of defined ingress rules for HTTPS (443/tcp), a specific user-service port range (8080 to 8090/tcp), and PostgreSQL (5432/tcp). The current state confirms these are the only rules allowing traffic from the specified CIDR blocks or the internet for PostgreSQL. Without a replacement or adjustment in another security group, this could lead to services becoming inaccessible due to the loss of HTTP and user-service port access, or overly exposed due to wholesale PostgreSQL rule removal.

This risk is underscored by the presence of specified CIDR ranges for HTTPS and user-service ports, indicating controlled intra-VPC (or specific network) access, and the global allowance for PostgreSQL, which, if not intentionally public, represents a critical exposure risk without this security group.

Potential Misconfiguration in Security Posture [Medium]

With the confirmation of the current security group's state, including specific ingress rules tailored for certain application behaviors (HTTPS, user-service ports, and PostgreSQL), removing this group might necessitate rapid reconfiguration or deployment of alternative security measures. The precise nature of these rules indicates a potentially sophisticated access control scheme that might not be easily replicated or might be overlooked in other security constructs within the AWS environment. This could lead to either too stringent or too lax security postures, impacting service accessibility or exposing services to unnecessary risk, respectively.