Skip to content

security: narrow internal ingress CIDR (JIRA-4521) [with knowledge file]#547

Closed
dylanratcliffe wants to merge 2 commits into
mainfrom
demo/cross-vpc-sg-narrowing-with-knowledge-20260709-034804
Closed

security: narrow internal ingress CIDR (JIRA-4521) [with knowledge file]#547
dylanratcliffe wants to merge 2 commits into
mainfrom
demo/cross-vpc-sg-narrowing-with-knowledge-20260709-034804

Conversation

@dylanratcliffe

Copy link
Copy Markdown
Member

Summary

  • Narrow internal ingress CIDR used for service/monitoring access.
  • Adds .overmind/knowledge/cross-vpc-regulated-feed.md documenting the cross-VPC dependency this change affects.

Context

  • JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

  • Terraform plan reviewed in CI.

Rollout / Risk

  • If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Caution

[High Risk] CIDR narrowing will block the fraud-detection VPC from the regulated feed and internal health paths

The internal-services security group on the production-api-server is narrowing ingress on ports 9090, 8080, and 443 from 10.0.0.0/8 to 10.0.0.0/16. The current rule is intentionally broad enough to include the fraud-detection VPC 10.50.0.0/16 over the fraud_detection_to_core peering connection; the knowledge file and current security group state both confirm that this is the approved path for the regulated transaction feed. After the change, that peered VPC will no longer match the source CIDR, so the instance at 10.0.101.34 will reject the fraud-detection side's connections.

This will cut off the live PCI-scoped feed on port 9090 to fraud-processor through the fraud-ingest NLB and txn-feed target group, causing fraud scoring to run on stale or cached data. Because the same CIDR narrowing also removes access on 8080 and 443, internal health and HTTPS paths from that peered environment will fail at the same time, which can drive unhealthy target status and failover or retry behavior for the internal consumers that rely on this cross-VPC path.
View reasoning tree here.

Caution

[High Risk] Narrowing the port 9090 ingress CIDR will block the approved fraud-detection feed path and expose a PCI-violating public-endpoint fallback

The change to 540044833068.eu-west-2.ec2-security-group.sg-089e5107637083db5 narrows the internal-services ingress CIDR from 10.0.0.0/8 to 10.0.0.0/16 on port 9090, which removes the fraud-detection VPC 10.50.0.0/16 from the allowed source range. The current production API server at private IP 10.0.101.34 serves the regulated transaction feed through this security group, and the txn-feed target is currently healthy on 10.0.101.34:9090, so this is an active dependency, not a theoretical one.

Once applied, the approved peering path from fraud-detection to the feed will be blocked. Because the same API server also has a public endpoint (13.134.236.98 / ec2-13-134-236-98.eu-west-2.compute.amazonaws.com), any fraud-processor fallback or endpoint discovery that switches to the public address would move PCI-scoped transaction data off the private peered path and onto the public internet. That is a PCI network-segmentation violation rather than a harmless degradation, and if no fallback occurs the fraud-detection service will lose the live feed entirely.
View reasoning tree here.

Signals

Routine → Multiple AWS SNS topic subscription resources showing unusual infrequent updates at 2 events/week for the last 5 months, with one related resource at 1 event/week for the last 3 months, which is rare compared to typical patterns.

Additional Change Details: Items 13 Edges 39 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

View in Overmind

@dylanratcliffe dylanratcliffe deleted the demo/cross-vpc-sg-narrowing-with-knowledge-20260709-034804 branch July 9, 2026 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant