Aws-cdk: Get default security group from VPC

Created on 24 Jan 2019 · 7Comments · Source: aws/aws-cdk

I would like to export the default security group id from a VPC I create. In CloudFormation I would reference the VPC return value of DefaultSecurityGroup, but how would I accomplish the same using the CDK?

@aws-cdaws-ec2 feature-request

Source

FantasticFiasco

Most helpful comment

Just about to (I think) bump into this. One use case I can see is that the CIS security benchmark for AWS dictates that all default security groups should restrict all traffic (control 4.3 - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#cis-4.3-remediation). To comply with that, it would be nice to configure the default security group as part of the CDK template.

I'll do some reading and find out whether (a) this is already possible as @rix0rr says, or (b) needs to be added. Had to do something similar to retrieve the default IGW id, so hopefully isn't too dissimilar.

shearn89 on 24 Jun 2020

👍3 🎉1

All 7 comments

The simplest way would be to use a findChild() call to access the CloudFormation CfnVpc object. It has the property you are looking for.

The resource is called "Resource":

https://github.com/awslabs/aws-cdk/blob/master/packages/%40aws-cdk/aws-ec2/lib/vpc.ts#L312

Can you tell us a little about what you're trying to achieve though, and why the existing SecurityGroup mechanisms aren't sufficient?

rix0rrr on 24 Jan 2019

Can you elaborate on what you mean with the existing security group mechanisms? My understanding is, and forgive me if I am wrong, that you cannot specify the security group when you are creating your VPC. Because of that I have to work around the fact that the security group is created automatically when the VPC is created.

Regarding the reason as to why I need the exported output, please let me check my code tomorrow at work, and I will update you with information.

FantasticFiasco on 24 Jan 2019

It's not that the existing security group mechanisms are insufficient, they are not. However, we expected the default security group to be readily available since it is created automatically and there is no way to prohibit it to be created (as far as I know).
What we were trying to accomplish here was simply to be able to use the default security group as a source in other security groups that we create.

mattias-fjellstrom on 28 Jan 2019

My issue #1995 seems to be a dup of this. I tried the "escape hatch" workaround suggested by @rix0rrr :

VpcNetworkProviderProps vpcProps = VpcNetworkProviderProps.builder()
        .withVpcName(CODEBUILD_VPC_NAME)
        .build();
    IVpcNetwork vpc = VpcNetwork.importFromContext(stack, "Imported VPC", vpcProps);
    CfnVPC cfnVPC = (CfnVPC) vpc.getNode().findChild("Resource");

but this doesn't seem to work either as I get a runtime error: Exception in thread "main" software.amazon.jsii.JsiiException: No child with path: 'Resource'

Just to be specific on the use case: when I'm creating an EFS file system mountpoint it requires I specify the security group ID associated with the subnet.

foscraig on 1 Apr 2019

Still relevant, but not easy. The default security group is not created as part of CDK.

rix0rrr on 30 Oct 2019

I misunderstood the question originally: someone wanting to do this can get the vpc.node.defaultChild, get the attribute they need with the default security group id, and SecurityGroup.fromSecurityGroupId() import in into their stack. But they really shouldn't use the default SG in the first place (and why would they save on them, SGs are free), so I'm not sure we should be making it easy.

Closing this, feel free to reopen if someone has a compelling use case.

rix0rrr on 23 Jan 2020

shearn89 on 24 Jun 2020

👍3 🎉1

Was this page helpful?

0 / 5 - 0 ratings