From 49c5332ca28d180e2db59619af3db43ced23c275 Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Tue, 17 Mar 2026 22:24:46 +0100 Subject: [PATCH] Protect platform security groups in permission boundary Add DenyPlatformSecurityGroups to the developer boundary: denies modify/delete on SGs named javabin-* (platform ALB and ECS tasks SGs). Teams can still create their own SGs (needed for RDS module). --- terraform/platform/iam/boundary.tf | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/terraform/platform/iam/boundary.tf b/terraform/platform/iam/boundary.tf index 529f4c9..57fb82d 100644 --- a/terraform/platform/iam/boundary.tf +++ b/terraform/platform/iam/boundary.tf @@ -157,6 +157,33 @@ resource "aws_iam_policy" "developer_boundary" { Resource = "*" }, + ######################################################################## + # Protect platform security groups + # + # Teams CAN create security groups (needed for RDS, custom services). + # Teams CANNOT modify or delete platform-owned security groups. + # Platform SGs are named javabin-* (e.g., javabin-alb-sg, javabin-ecs-tasks-sg). + # App SGs use app-name prefix (e.g., moresleep-rds-sg). + ######################################################################## + { + Sid = "DenyPlatformSecurityGroups" + Effect = "Deny" + Action = [ + "ec2:DeleteSecurityGroup", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:RevokeSecurityGroupEgress", + "ec2:ModifySecurityGroupRules", + ] + Resource = "arn:aws:ec2:${var.region}:${var.aws_account_id}:security-group/*" + Condition = { + StringLike = { + "ec2:ResourceTag/Name" = "${var.project}-*" + } + } + }, + ######################################################################## # Deny platform ECS cluster, ALB, ACM certs ########################################################################