Skip to content

security: narrow internal ingress CIDR (JIRA-4521)#546

Closed
dylanratcliffe wants to merge 1 commit into
mainfrom
security/jira-4521-narrow-internal-cidr-20260709-034759
Closed

security: narrow internal ingress CIDR (JIRA-4521)#546
dylanratcliffe wants to merge 1 commit into
mainfrom
security/jira-4521-narrow-internal-cidr-20260709-034759

Conversation

@dylanratcliffe

Copy link
Copy Markdown
Member

Summary

  • Narrow internal ingress CIDR used for service/monitoring access.

Context

  • JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

  • Terraform plan reviewed in CI.

Rollout / Risk

  • If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Caution

[High Risk] Narrowing internal ingress to the local VPC CIDR will block cross-VPC clients on ports 443 and 9090

The internal-services security group on sg-089e5107637083db5, attached to the ENI serving 10.0.101.34, is narrowing ingress on ports 8080, 443, and 9090 from 10.0.0.0/8 to the local VPC CIDR 10.0.0.0/16. Blast-radius data shows the VPC itself is 10.0.0.0/16, so after this change only sources inside that VPC will match. The existing 9090 rule explicitly serves a regulated transaction feed for a fraud-detection consumer over cross-VPC peering, and AWS security-group behavior means peered clients from other 10.x CIDRs will be denied unless their CIDRs or security groups are added separately.

This will cut off cross-VPC private consumers, monitors, and internal tooling that currently rely on the broader 10.0.0.0/8 allowance while leaving same-VPC checks from 10.0.101.0/24 looking healthy. The result is silent loss of access on 443 and 9090, with the most serious impact on the transaction-feed path where fraud-ingestion clients outside 10.0.0.0/16 will fail to connect and may backlog or retry aggressively.
View reasoning tree here.

Signals

Routine → Multiple AWS SNS topic subscription resources showing unusual infrequent updates at 2 events/week for the last 5 months, with one related resource at 1 event/week for the last 3 months, which is rare compared to typical patterns.

Additional Change Details: Items 11 Edges 39 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

View in Overmind

@dylanratcliffe dylanratcliffe deleted the security/jira-4521-narrow-internal-cidr-20260709-034759 branch July 9, 2026 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant