diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml new file mode 100644 index 0000000..163e05c --- /dev/null +++ b/.github/workflows/security_audit.yml @@ -0,0 +1,21 @@ +name: Security audit +on: + schedule: + - cron: '0 0 * * *' + push: + paths: + - '**/Cargo.toml' + - '**/Cargo.lock' +jobs: + security_audit: + runs-on: ubuntu-latest + if: github.repository_owner == 'aws-samples' + permissions: + issues: write + checks: write + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/deploy.sh b/deploy.sh index 791d4ca..240a80b 100755 --- a/deploy.sh +++ b/deploy.sh @@ -23,8 +23,8 @@ fi printf "\n#################################################################################" printf "\n## Please ensure the IAM principal (IAM User or Role) you are using to execute ##" -printf "\n## this installation script includes a \"network-perimeter-exception\" tag key ##" -printf "\n## with a tag value of \"true\" or the installation will fail. ##" +printf "\n## this installation script includes a \"dp:exclude:network\" tag key with a ##" +printf "\n## tag value of \"true\" or the installation will fail. ##" printf "\n#################################################################################\n\n" STACK_PREFIX=nitro-vault diff --git a/vault_template.yml b/vault_template.yml index fafad3d..8bdb037 100644 --- a/vault_template.yml +++ b/vault_template.yml @@ -624,7 +624,8 @@ Resources: Min: 8192 VCpuCount: Min: 8 - ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64}}" + #ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-6.12-x86_64}}" + ImageId: ami-090e72bf33b5af2ec # al2023-ami-minimal-2023.6.20250317.2-kernel-6.1-x86_64 MetadataOptions: HttpEndpoint: enabled HttpPutResponseHopLimit: 1 @@ -718,12 +719,20 @@ Resources: - AlarmNotification - ScheduledActions Properties: + AvailabilityZoneDistribution: + CapacityDistributionStrategy: balanced-only + AvailabilityZoneImpairmentPolicy: + ImpairedZoneHealthCheckBehavior: IgnoreUnhealthy + ZonalShiftEnabled: true CapacityRebalance: true Cooldown: 0 # zero seconds DefaultInstanceWarmup: 10 # seconds DesiredCapacity: 1 HealthCheckType: ELB HealthCheckGracePeriod: 10 # seconds + InstanceMaintenancePolicy: + MaxHealthyPercentage: 200 + MinHealthyPercentage: 100 MaxInstanceLifetime: 86400 # recycle instances every day (in seconds) MaxSize: 2 MinSize: 1 @@ -738,11 +747,12 @@ Resources: LaunchTemplateId: !Ref rLaunchTemplate Version: !GetAtt rLaunchTemplate.LatestVersionNumber NewInstancesProtectedFromScaleIn: false + SkipZonalShiftValidation: true TargetGroupARNs: - !Ref rTargetGroup TerminationPolicies: - OldestInstance - - OldestLaunchConfiguration + - OldestLaunchTemplate VPCZoneIdentifier: !Ref pSubnetIds rLoadBalancer: @@ -753,12 +763,15 @@ Resources: - id: W52 reason: "Ignoring access logging" Properties: + EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic: "off" IpAddressType: ipv4 LoadBalancerAttributes: - Key: load_balancing.cross_zone.enabled Value: "false" - Key: dns_record.client_routing_policy Value: availability_zone_affinity + - Key: zonal_shift.config.enabled + Value: "true" Scheme: internal SecurityGroups: - !Ref rLoadBalancerSecurityGroup diff --git a/vpc_template.yml b/vpc_template.yml index ca979ae..0653f59 100644 --- a/vpc_template.yml +++ b/vpc_template.yml @@ -249,6 +249,17 @@ Resources: - !Ref rPrivateRouteTable3 # EC2 Route Table - !Ref rPrivateRouteTable4 # EC2 Route Table ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3" + Tags: + - Key: Name + Value: !Sub "${pResourcePrefix}-vpce-s3" + - Key: "aws-cloudformation:stack-name" + Value: !Ref "AWS::StackName" + - Key: "aws-cloudformation:stack-id" + Value: !Ref "AWS::StackId" + - Key: "aws-cloudformation:logical-id" + Value: rVpcEndpointS3 + - Key: AppManagerCFNStackKey + Value: !Ref "AWS::StackName" VpcEndpointType: Gateway VpcId: !Ref rVpc @@ -271,6 +282,17 @@ Resources: - !Ref rPrivateRouteTable1 # Lambda Route Table - !Ref rPrivateRouteTable2 # Lambda Route Table ServiceName: !Sub "com.amazonaws.${AWS::Region}.dynamodb" + Tags: + - Key: Name + Value: !Sub "${pResourcePrefix}-vpce-dynamodb" + - Key: "aws-cloudformation:stack-name" + Value: !Ref "AWS::StackName" + - Key: "aws-cloudformation:stack-id" + Value: !Ref "AWS::StackId" + - Key: "aws-cloudformation:logical-id" + Value: rVpcEndpointDynamoDB + - Key: AppManagerCFNStackKey + Value: !Ref "AWS::StackName" VpcEndpointType: Gateway VpcId: !Ref rVpc @@ -302,6 +324,17 @@ Resources: SubnetIds: - !Ref rPrivateSubnet1 # Lambda Subnet AZ1 - !Ref rPrivateSubnet2 # Lambda Subnet AZ2 + Tags: + - Key: Name + Value: !Sub "${pResourcePrefix}-vpce-kms" + - Key: "aws-cloudformation:stack-name" + Value: !Ref "AWS::StackName" + - Key: "aws-cloudformation:stack-id" + Value: !Ref "AWS::StackId" + - Key: "aws-cloudformation:logical-id" + Value: rVpcEndpointKms + - Key: AppManagerCFNStackKey + Value: !Ref "AWS::StackName" VpcEndpointType: Interface VpcId: !Ref rVpc @@ -331,6 +364,17 @@ Resources: SubnetIds: - !Ref rPrivateSubnet3 # EC2 Subnet AZ1 - !Ref rPrivateSubnet4 # EC2 Subnet AZ2 + Tags: + - Key: Name + Value: !Sub "${pResourcePrefix}-vpce-ssm" + - Key: "aws-cloudformation:stack-name" + Value: !Ref "AWS::StackName" + - Key: "aws-cloudformation:stack-id" + Value: !Ref "AWS::StackId" + - Key: "aws-cloudformation:logical-id" + Value: rVpcEndpointSsm + - Key: AppManagerCFNStackKey + Value: !Ref "AWS::StackName" VpcEndpointType: Interface VpcId: !Ref rVpc @@ -360,6 +404,17 @@ Resources: SubnetIds: - !Ref rPrivateSubnet3 # EC2 Subnet AZ1 - !Ref rPrivateSubnet4 # EC2 Subnet AZ2 + Tags: + - Key: Name + Value: !Sub "${pResourcePrefix}-vpce-ssmmessages" + - Key: "aws-cloudformation:stack-name" + Value: !Ref "AWS::StackName" + - Key: "aws-cloudformation:stack-id" + Value: !Ref "AWS::StackId" + - Key: "aws-cloudformation:logical-id" + Value: rVpcEndpointSsmMessages + - Key: AppManagerCFNStackKey + Value: !Ref "AWS::StackName" VpcEndpointType: Interface VpcId: !Ref rVpc @@ -389,6 +444,17 @@ Resources: SubnetIds: - !Ref rPrivateSubnet3 # EC2 Subnet AZ1 - !Ref rPrivateSubnet4 # EC2 Subnet AZ2 + Tags: + - Key: Name + Value: !Sub "${pResourcePrefix}-vpce-ec2messages" + - Key: "aws-cloudformation:stack-name" + Value: !Ref "AWS::StackName" + - Key: "aws-cloudformation:stack-id" + Value: !Ref "AWS::StackId" + - Key: "aws-cloudformation:logical-id" + Value: rVpcEndpointEc2Messages + - Key: AppManagerCFNStackKey + Value: !Ref "AWS::StackName" VpcEndpointType: Interface VpcId: !Ref rVpc @@ -416,6 +482,17 @@ Resources: SubnetIds: - !Ref rPrivateSubnet3 # EC2 Subnet AZ1 - !Ref rPrivateSubnet4 # EC2 Subnet AZ2 + Tags: + - Key: Name + Value: !Sub "${pResourcePrefix}-vpce-cloudformation" + - Key: "aws-cloudformation:stack-name" + Value: !Ref "AWS::StackName" + - Key: "aws-cloudformation:stack-id" + Value: !Ref "AWS::StackId" + - Key: "aws-cloudformation:logical-id" + Value: rVpcEndpointCloudFormation + - Key: AppManagerCFNStackKey + Value: !Ref "AWS::StackName" VpcEndpointType: Interface VpcId: !Ref rVpc