AWSTemplateFormatVersion: '2010-09-09' Description: Security Group Parameters: VpcID: Type: AWS::EC2::VPC::Id Description: VPC Id Resources: # Redis SG RedisSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to Elasticache cluster VpcId: !Ref VpcID # SecurityGroupEgress: # - IpProtocol: tcp # CidrIp: 0.0.0.0/0 Metadata: cfn_nag: rules_to_suppress: - id: F1000 reason: egress rule not support exhaustive port for outbound traffic RedisSecurityGroupIngressOrigin: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Access to Redis from the Origin GroupId: !Ref RedisSecurityGroup SourceSecurityGroupId: !Ref OriginContainerSecurityGroup IpProtocol: '-1' RedisSecurityGroupIngressServer: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Access to Redis from the Server GroupId: !Ref RedisSecurityGroup SourceSecurityGroupId: !Ref ServerContainerSecurityGroup IpProtocol: '-1' # Media Server SG ServerLoadBalancerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref VpcID GroupDescription: Access to the server Load Balancer SecurityGroupIngress: - IpProtocol: tcp FromPort: 1935 ToPort: 1935 CidrIp: 0.0.0.0/0 # SecurityGroupEgress: # - IpProtocol: tcp # CidrIp: 0.0.0.0/0 Metadata: cfn_nag: rules_to_suppress: - id: F1000 reason: egress rule not support exhaustive port for outbound traffic # Media Container SG ServerContainerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the Server containers VpcId: !Ref VpcID SecurityGroupIngress: - IpProtocol: tcp FromPort: 1935 ToPort: 1935 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 8000 ToPort: 8000 CidrIp: 0.0.0.0/0 # SecurityGroupEgress: # - IpProtocol: tcp # CidrIp: 0.0.0.0/0 Metadata: cfn_nag: rules_to_suppress: - id: F1000 reason: egress rule not support exhaustive port for outbound traffic ServerSecurityGroupIngressLoadBalancer: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Access to the Server from the Load Balancer GroupId: !Ref ServerContainerSecurityGroup SourceSecurityGroupId: !Ref ServerLoadBalancerSecurityGroup IpProtocol: '-1' ServerSecurityGroupIngressProxy: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Access to the Server from the Proxy GroupId: !Ref ServerContainerSecurityGroup SourceSecurityGroupId: !Ref ProxyContainerSecurityGroup IpProtocol: '-1' ServerSecurityGroupIngressOrigin: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Access to the Server from the Origin GroupId: !Ref ServerContainerSecurityGroup SourceSecurityGroupId: !Ref OriginContainerSecurityGroup IpProtocol: '-1' ServerSecurityGroupIngressProcessor: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Access to the Server from the Process GroupId: !Ref ServerContainerSecurityGroup SourceSecurityGroupId: !Ref ServerContainerSecurityGroup IpProtocol: '-1' # Origin SG OriginLoadBalancerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref VpcID GroupDescription: Access to the Origin Load Balancer SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 # SecurityGroupEgress: # - IpProtocol: tcp # CidrIp: 0.0.0.0/0 Metadata: cfn_nag: rules_to_suppress: - id: F1000 reason: egress rule not support exhaustive port for outbound traffic OriginContainerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the Origin containers VpcId: !Ref VpcID SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: !Ref OriginLoadBalancerSecurityGroup # SecurityGroupEgress: # - IpProtocol: tcp # CidrIp: 0.0.0.0/0 Metadata: cfn_nag: rules_to_suppress: - id: F1000 reason: egress rule not support exhaustive port for outbound traffic # Proxy SG ProxyContainerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the Proxy containers VpcId: !Ref VpcID SecurityGroupIngress: - IpProtocol: tcp FromPort: 1935 ToPort: 1935 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 3000 ToPort: 3000 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 8080 ToPort: 8080 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 # SecurityGroupEgress: # - IpProtocol: tcp # CidrIp: 0.0.0.0/0 Metadata: cfn_nag: rules_to_suppress: - id: F1000 reason: egress rule not support exhaustive port for outbound traffic Outputs: RedisSecurityGroup: Value: !Ref 'RedisSecurityGroup' Export: Name: 'SecurityGroup-RedisSecurityGroup' ServerLoadBalancerSecurityGroup: Value: !Ref 'ServerLoadBalancerSecurityGroup' Export: Name: 'SecurityGroup-ServerLoadBalancerSecurityGroup' OriginLoadBalancerSecurityGroup: Value: !Ref 'OriginLoadBalancerSecurityGroup' Export: Name: 'SecurityGroup-OriginLoadBalancerSecurityGroup' OriginContainerSecurityGroup: Value: !Ref 'OriginContainerSecurityGroup' Export: Name: 'SecurityGroup-OriginContainerSecurityGroup' ProxyContainerSecurityGroup: Value: !Ref 'ProxyContainerSecurityGroup' Export: Name: 'SecurityGroup-ProxyContainerSecurityGroup' ServerContainerSecurityGroup: Value: !Ref 'ServerContainerSecurityGroup' Export: Name: 'SecurityGroup-ServerContainerSecurityGroup'