security: narrow internal ingress CIDR (JIRA-4521)

[dylanratcliffe]

Summary

• Narrow internal ingress CIDR used for service/monitoring access.

Context

• JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

• Terraform plan reviewed in CI.

Rollout / Risk

• If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ Ingress showing 5 events/week for the last 3 months, which is infrequent compared to typical patterns.

View signals ↗

---

🔥 Risks

New external /32 on HTTPS expands direct internet access to a publicly addressed production EC2 instance (violates least‑privilege and internal policy) ‼️High Open Risk ↗
The customer-api-access security group is being updated to allow TCP 443 from 203.0.113.120/32. This SG is attached to the production API server, which has a public Elastic IP (13.134.236.98), making it directly reachable from the internet. Adding this new CIDR expands which external hosts can connect straight to the instance, bypassing managed edge controls like ALB/WAF.

This widens the internet‑reachable attack surface on a production workload and remains non‑compliant with our policy that EC2 instances must not be directly reachable from the internet. It violates least‑privilege network segmentation per AWS Well‑Architected SEC05‑BP02 and increases the risk of unauthorized access if the newly allowed source is misused or compromised.

Narrowing sg-089e… to 10.0.0.0/16 will block NLB health checks from 10.50.0.0/16, leaving zero healthy targets ❗Medium Open Risk ↗
The internal-services security group sg-089e5107637083db5 is narrowing ingress on ports 8080, 443, and 9090 from 10.0.0.0/8 to 10.0.0.0/16. The production-api-server at 10.0.101.121 (ENI eni-00082e40319faa161) attaches this group and is the sole IP target in the api-health-terraform-example target group behind the internal NLB mon-internal-terraform-example in VPC 10.50.0.0/16.

NLB health checks and traffic originate from the NLB nodes in 10.50.101.0/24 and 10.50.102.0/24, which will no longer match the narrowed 10.0.0.0/16 rule. As soon as this applies, connections from the NLB to 10.0.101.121:9090 will be rejected, the target will flip to unhealthy, and the NLB will have zero healthy targets. Any internal clients using the NLB endpoint will fail to connect, and monitoring or service-mesh traffic from the monitoring VPC (10.50.0.0/16) to ports 443/8080/9090 will be blocked, creating monitoring gaps and service disruption. This contravenes reliability expectations to maintain health-check reachability (REL11) and must be coordinated with explicit allowances for the monitoring/NLB subnets (SEC05-BP02).

---

🧠 Reasoning · ✖ 0 · ✔ 2

Expanded external ingress to TCP 443 from specific public IP increases attack surface

Observations 1

Hypothesis

Security group sg-03cf38efd953aa056 is being updated to allow inbound TCP 443 from external IP 203.0.113.120/32. This expands the Internet‑reachable attack surface to a specific host and may violate least‑privilege network segmentation if that address is not strictly controlled or required (e.g., could allow unintended access paths into workloads behind this SG). Ensure this IP is trusted, scoped to a well‑defined use case, and monitored, and that any dependent controls (WAF, IDS, logging) are adjusted accordingly. Related to AWS security best practice SEC05-BP02.

Investigation

Evidence Gathered

• Reviewed organizational knowledge: aws-network-security (SEC05-BP02: least-privilege SG rules) and security-compliance-requirements (instances must not be directly reachable from the internet; combined public IP + open SG = critical severity).
• Examined planned diffs: 540044833068.eu-west-2.ec2-security-group.sg-03cf38efd953aa056 adds cidr 203.0.113.120/32 on TCP 443 labeled "NewCo 20". Also noted a separate change narrowing internal SG sg-089e5107637083db5 from 10.0.0.0/8 to /16 (not related to external exposure).
• Queried blast radius state:
  • SG sg-03cf38efd953aa056 (customer-api-access) currently allows many external CIDRs on port 443 and is tagged Environment=production.
  • This SG is attached to EC2 instance i-077b8eff98b7b44be (Name=production-api-server, Service=core-api) which has a public Elastic IP 13.134.236.98 and PublicDnsName ec2-13-134-236-98.eu-west-2.compute.amazonaws.com.
  • The NLB mon-internal-terraform-example is scheme=internal on port 9090 and does not mitigate external reachability to the instance.

Impact Assessment

• Directly affected resources: 1 security group (customer-api-access) attached to 1 production EC2 instance (production-api-server) that has 1 public Elastic IP. The change expands the set of external sources permitted to reach the instance’s HTTPS service by adding 203.0.113.120/32.
• Downstream/operational impact: The instance is directly reachable from the public internet on 443 from multiple external addresses; adding another /32 further increases the internet-reachable attack surface and maintains non-compliance with our Security & Compliance requirement that EC2 instances must not be directly reachable. Because traffic reaches the instance’s public IP, it can bypass edge protections that would apply at managed front doors (ALB/WAF/API Gateway). Any compromise or misuse of the newly allowed source expands potential exploit paths into a production workload.
• Scope: Production environment; exposure limited to resources behind sg-03cf38efd953aa056 (at least the listed API server). The separate internal SG narrowing does not reduce this exposure.

Conclusion

Risk is real. The change explicitly adds a new external CIDR (203.0.113.120/32) to port 443 on a security group attached to a publicly addressed production EC2 instance, expanding direct internet access. This contradicts internal policy and the AWS Well-Architected SEC05-BP02 least-privilege guidance, increasing attack surface without evidence of compensating controls.

✔ Hypothesis proven

---

Ingress CIDR narrowing from 10.0.0.0/8 to 10.0.0.0/16 may block internal health checks and monitoring

Observations 9

Hypothesis

Multiple security groups are having ingress CIDRs narrowed from 10.0.0.0/8 to 10.0.0.0/16 on internal service ports (notably 8080, 443, 9090), including sg-089e5107637083db5. This significantly reduces the allowed internal source range and can block legitimate traffic from subnets, peered VPCs, or internal tooling that still use addresses in 10.0.0.0/8 but outside 10.0.0.0/16. Affected flows include load balancer and ELB health checks, Prometheus/monitoring scrapes, inter‑service HTTPS calls, and other operational probes, which may cause targets to be marked unhealthy, monitoring gaps, and service disruption. While this can improve network segmentation if planned, uncoordinated narrowing risks availability regressions and violates reliability and security best practices (e.g., REL02-BP01/BP03/BP04, SEC05-BP02) if dependencies are not updated to compatible CIDRs or alternative access patterns (VPC endpoints, VPN, transit gateway) are not in place.

Investigation

Evidence Gathered

• Loaded organizational guidance for network security, high availability, and security compliance to check relevant best practices (SEC05-BP02, REL02/REL11 themes).
• Reviewed the planned diffs for the changed security groups. sg-089e5107637083db5 (Name: internal-services) narrows ingress on ports 8080, 443, and 9090 from 10.0.0.0/8 to 10.0.0.0/16. sg-03cf38efd953aa056 only adds a new customer /32 on 443 and is unrelated to the narrowing.
• Queried blast radius state:
  • EC2 instance i-077b8eff98b7b44be (Name: production-api-server) in VPC 10.0.0.0/16 (vpc-02901bcbb89561298) with ENI eni-00082e40319faa161 at 10.0.101.121 attaches sg-089e5107637083db5 and sg-03cf38efd953aa056.
  • Internal Network Load Balancer mon-internal-terraform-example in a separate VPC 10.50.0.0/16 (vpc-096b686376892bb49) with subnets 10.50.101.0/24 and 10.50.102.0/24 (ENI example: 10.50.102.66).
  • Target group api-health-terraform-example (TCP:9090, target type ip) points at 10.0.101.121:9090 and is currently healthy. NLB security groups are null (expected for NLB), so health checks and traffic originate from the NLB nodes’ IPs in 10.50.101.0/24 and 10.50.102.0/24.

Impact Assessment

• Directly affected resources: 1 security group (sg-089e5107637083db5) attached to at least 1 production EC2 instance (i-077b8eff98b7b44be). 1 internal NLB and 1 target group depend on reaching this instance on port 9090. The NLB operates in two subnets (10.50.101.0/24, 10.50.102.0/24) within VPC 10.50.0.0/16.
• What breaks: After narrowing to 10.0.0.0/16, the instance will block connections from 10.50.0.0/16 sources. NLB health checks and any forwarded traffic to 10.0.101.121:9090 will be denied. The target will transition from healthy to unhealthy, leaving zero healthy targets in api-health-terraform-example. Any clients using mon-internal-terraform-example to reach this service will fail to connect. Additionally, operational traffic from the monitoring VPC (10.50.0.0/16) to ports 443/8080/9090 on this instance will be blocked, creating monitoring blind spots and failed scrapes.
• Scope: 1 NLB, 1 target group, and 1 known production instance in two VPCs are immediately impacted. Because sg-089e5107637083db5 is tagged Critical=true and appears shared for internal mesh/monitoring, other instances using this SG would also be impacted if present.

Conclusion

Risk is real. The change removes access for the NLB and monitoring sources in 10.50.0.0/16 without compensating rules, so health checks to 10.0.101.121:9090 will be blocked, driving the target to unhealthy and cutting off NLB-based access and monitoring.

✔ Hypothesis proven

---

💥 Blast Radius

Items 20

Edges 60

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 1 · Medium 1 · Low 0

---

💥 Blast Radius

Items 20 · Edges 60

---

View full analysis in Overmind ↗