Skip to content

security: narrow internal ingress CIDR (JIRA-4521)#548

Closed
dylanratcliffe wants to merge 1 commit into
mainfrom
security/jira-4521-narrow-internal-cidr-20260709-155221
Closed

security: narrow internal ingress CIDR (JIRA-4521)#548
dylanratcliffe wants to merge 1 commit into
mainfrom
security/jira-4521-narrow-internal-cidr-20260709-155221

Conversation

@dylanratcliffe

Copy link
Copy Markdown
Member

Summary

  • Narrow internal ingress CIDR used for service/monitoring access.

Context

  • JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

  • Terraform plan reviewed in CI.

Rollout / Risk

  • If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Caution

[High Risk] Cross-VPC fraud-ingest traffic to the 9090 backend will be blocked by the narrowed security-group CIDR

The change narrows ingress on the shared internal-services security group from 10.0.0.0/8 to 10.0.0.0/16 for ports 8080, 443, and 9090. That security group is attached to the production API instance at 10.0.101.34, and the blast radius shows this instance is the healthy backend for the txn-feed-terraform-example target group on port 9090. The load balancer and its subnets are in a different VPC with CIDR 10.50.0.0/16, so its source addresses are currently permitted by 10.0.0.0/8 but will be excluded by 10.0.0.0/16.

Once applied, traffic from the fraud-detection VPC to 10.0.101.34:9090 will be blocked at the instance security group. That will cause the NLB target’s health checks and data-plane connections to fail, making the registered backend unhealthy and breaking the internal fraud-ingest / regulated transaction feed path for cross-VPC consumers.
View reasoning tree here.

Signals

Routine → Multiple AWS SNS topic subscription resources showing unusual infrequent updates at 2 events/week for the last 5 months, with one related resource at 1 event/week for the last 3 months, which is rare compared to typical patterns.

Additional Change Details: Items 23 Edges 64 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

View in Overmind

@dylanratcliffe dylanratcliffe deleted the security/jira-4521-narrow-internal-cidr-20260709-155221 branch July 9, 2026 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant