feat: filter DNS queries from the datasets VPC using the Route53 Fire…

…wall We don't know of any particular thing in the datasets VPC that allows users to make DNS queries, especially to unauthorised servers, so this is a defense in depth/just in case change. We are soon to put ArrangoDB in the dame VPC, so I think it makes sense to tighten things down as we increase the surface area otherwise. It is set to only allow queries to amazonaws.com domains, and block everything else. While we might be able to block it further in future, this is a step forward in terms of locking things down. In the notebooks VPC we have a similar setup, but with what is essentially our own custom firewall, written before the Route53 Firewall existed. If this goes well, potentially we could shut that down in favour of this for the notebooks VPC.
uktrade · May 30, 2024 · 4396548 · 4396548
1 parent 0e5abb6
commit 4396548
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/infra/vpc.tf b/infra/vpc.tf
@@ -314,6 +314,44 @@ resource "aws_vpc" "datasets" {
   }
 }
 
+resource "aws_route53_resolver_firewall_domain_list" "datasets_amazonaws" {
+  name    = "${var.prefix}-datasets-amazonaws"
+  domains = ["*.amazonaws.com."]
+}
+
+resource "aws_route53_resolver_firewall_domain_list" "datasets_all" {
+  name    = "${var.prefix}-datasets-all-domains"
+  domains = ["*."]
+}
+
+resource "aws_route53_resolver_firewall_rule_group" "datasets_allow_amazonaws_block_otherwise" {
+  name = "${var.prefix}-datasets-allow-amazonaws-block-otherwise"
+}
+
+resource "aws_route53_resolver_firewall_rule_group_association" "datasets_allow_amazonaws_block_otherwise" {
+  name                   = "${var.prefix}-datasets-allow-amazonaws-block-otherwise"
+  firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.datasets_allow_amazonaws_block_otherwise.id
+  priority               = 1000
+  vpc_id                 = aws_vpc.datasets.id
+}
+
+resource "aws_route53_resolver_firewall_rule" "datasets_allow_amazonaws" {
+  name                    = "${var.prefix}-allow-amazonaws"
+  action                  = "ALLOW"
+  firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.datasets_amazonaws.id
+  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.datasets_allow_amazonaws_block_otherwise.id
+  priority                = 100
+}
+
+resource "aws_route53_resolver_firewall_rule" "datasets_block_otherwise" {
+  name                    = "${var.prefix}-block-all"
+  action                  = "BLOCK"
+  block_response          = "NXDOMAIN"
+  firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.datasets_all.id
+  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.datasets_allow_amazonaws_block_otherwise.id
+  priority                = 200
+}
+
 resource "aws_flow_log" "datasets" {
   log_destination_type = "s3"
   log_destination      = "arn:aws:s3:::flowlog-${data.aws_caller_identity.aws_caller_identity.account_id}/${aws_vpc.datasets.id}"