Skip to content

Commit 1980d74

Browse files
Protect platform security groups in permission boundary (#81)
## Summary Adds `DenyPlatformSecurityGroups` to the developer permission boundary. Denies modify/delete operations on security groups named `javabin-*` (platform ALB and ECS tasks SGs). Teams can still create their own SGs (needed for RDS module — e.g., `moresleep-rds-sg`). Addresses security review finding from #77: SG operations were removed from the team deny policy to support RDS. The boundary now protects platform SGs while allowing team SG creation. ## Test plan - [ ] `terraform plan` shows boundary policy update - [ ] Apply succeeds - [ ] Team role cannot modify `javabin-alb-sg` or `javabin-ecs-tasks-sg` - [ ] Team role can create `{app}-rds-sg` via expanded TF
1 parent 2f0d261 commit 1980d74

1 file changed

Lines changed: 27 additions & 0 deletions

File tree

terraform/platform/iam/boundary.tf

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,33 @@ resource "aws_iam_policy" "developer_boundary" {
157157
Resource = "*"
158158
},
159159

160+
########################################################################
161+
# Protect platform security groups
162+
#
163+
# Teams CAN create security groups (needed for RDS, custom services).
164+
# Teams CANNOT modify or delete platform-owned security groups.
165+
# Platform SGs are named javabin-* (e.g., javabin-alb-sg, javabin-ecs-tasks-sg).
166+
# App SGs use app-name prefix (e.g., moresleep-rds-sg).
167+
########################################################################
168+
{
169+
Sid = "DenyPlatformSecurityGroups"
170+
Effect = "Deny"
171+
Action = [
172+
"ec2:DeleteSecurityGroup",
173+
"ec2:AuthorizeSecurityGroupIngress",
174+
"ec2:RevokeSecurityGroupIngress",
175+
"ec2:AuthorizeSecurityGroupEgress",
176+
"ec2:RevokeSecurityGroupEgress",
177+
"ec2:ModifySecurityGroupRules",
178+
]
179+
Resource = "arn:aws:ec2:${var.region}:${var.aws_account_id}:security-group/*"
180+
Condition = {
181+
StringLike = {
182+
"ec2:ResourceTag/Name" = "${var.project}-*"
183+
}
184+
}
185+
},
186+
160187
########################################################################
161188
# Deny platform ECS cluster, ALB, ACM certs
162189
########################################################################

0 commit comments

Comments
 (0)