This module can lock down specified outgoing ip addresses on a Linux server such that only specific OS users can access them.
The main motivation for locking down EC2 metadata is as follows:
EC2 metadata gives you the credentials you need to assume any IAM role associated with the EC2 instance, and thereby, get all the permissions available in that IAM role.
Locking down the metadata to, for example, only the root user, makes sure that if a hacker breaks into your server with a privileged user, they cannot get the full power of the IAM role.
This module has been tested specifically with Ubuntu, but will probably work with any Debian distribution that uses iptables.
Example
In the example below we restrict access to ec2-instance-metadata endpoint to the users foo, bar and root. All other users on the instance will be blocked from access.
./ip-lockdown 169.254.169.254 foo bar root
Normally users make a curl call to get metadata like the AWS region or credentials associated with this EC2 Instance's IAM Role. Following the invocation of ip-lockdown, only users foo, bar, and root can query that data.
The complete example of using terraform to deploy a generated AMI into your AWS account and automatically invoke ip-lockdown from the User Data is also available in the examples folder.
IP address that will be locked down (outgoing access will be disabled) for all but the users specified in subequent [<USER> ... ]] arguments
Required
169.254.169.254
USER
Space separated whitelist of users who will be allowed outgoing access to specified ip address
Optional
root (or any other OS user name)
How do you use this module?
This script will insert the necessary rules to achieve the proper end result of only allowing the specified users to access the locked ips.
It will NOT modify your existing rules
It will NOT add multiple identical rules if you keep running the script (it is idempotent)
It will automatically add rules at the correct rule index if you chose to add more users later or to add more IP addresses later.
General iptables overview
The ip-lockdown script uses iptables under the hood. The iptables application works by defining rules that can then be applied to each outgoing packet. The rules are applied in order (sudo iptables -L line-num to see your current rules as well as their rule-indicies).
In order to block access to a specific IP address for a specific user you need 2 rules.
A rule to ALLOW packets going to YYY owned by user foo
A rule to BLOCK packets going to YYY
The ordering of the rules is important as iptables will go through the rules list until it finds a matching rule. As soon as a matching rule is found none of the subsequent rules are evaluated.
In the above example, reversing those two rules would result in all access to YYY blocked even though there is a subsequent rule to allow foo to access.
Why not use groups?
In an ideal scenario, rather than adding one allow rule per user, we would just create a new canAccessIP group, and add our required users to that group. Then we would just need two iptables rules to manage access.
Unfortunately iptables suffers from the limitation that it will only compare the primary group of the user rather than all of the groups that users belongs to. This limitation is the reason the ip-lockdown script has to create rules per user. As we do not want to modify each user and update their primary user group in case that this causes issues for some other process.
For reference of this limitation see the following:
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"30bfaa039bf698a640461a3993ccc21b452ccc5d"}]},{"name":".editorconfig","path":".editorconfig","sha":"a5eec1063e66c4cb953cba222dd50b4d314ef3e2"},{"name":".gitignore","path":".gitignore","sha":"981300184e4c7fd06f5076e1b63240ff17127c4a"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"c82ec90fb502dc05e64f92ece2c49ff0a9c3cf55"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.adoc","path":"README.adoc","sha":"2fa6943dc66863a9f854a55374ed6b89f1dab998"},{"name":"_ci","children":[{"name":"output-debug-values.sh","path":"_ci/output-debug-values.sh","sha":"0ced78063218d2027a2af91368ccb2da3f9762d5"}]},{"name":"_docs","children":[{"name":"auto-update.png","path":"_docs/auto-update.png","sha":"77bfd1c65de0245ac8b3c67d5b0b64fc440824bf"},{"name":"aws-cloudtrail-architecture.png","path":"_docs/aws-cloudtrail-architecture.png","sha":"a2dd9a08b8ed77744fd5febab3be7bdf633dee79"},{"name":"aws-cloudtrail.png","path":"_docs/aws-cloudtrail.png","sha":"acc7dcaf4b46ce3cef1bcc20be0329e12c320e7f"},{"name":"aws-config-architecture.png","path":"_docs/aws-config-architecture.png","sha":"721458048d5e539468c438498863a91fa96e0a85"},{"name":"aws-config-rules-architecture.png","path":"_docs/aws-config-rules-architecture.png","sha":"29fe3f20358b176e385d1bcdc0357bff2c1d5b4a"},{"name":"aws-config-rules.png","path":"_docs/aws-config-rules.png","sha":"ac3f7b35bcac949887e62aee260d9cb70edd3ae8"},{"name":"aws-config.png","path":"_docs/aws-config.png","sha":"02f4b326aef57372def4f3fafa4f0e4cec07e395"},{"name":"aws-guardduty.png","path":"_docs/aws-guardduty.png","sha":"053b92412fb8e3fb5740acc404b493fe1dd7229b"},{"name":"aws-organizations-architecture.png","path":"_docs/aws-organizations-architecture.png","sha":"bd57412fe85d3fe8d5e358db5e3b7bfef3e786a9"},{"name":"aws-organizations-icon.png","path":"_docs/aws-organizations-icon.png","sha":"b2b3fa04f51a23e5bae1b3389ffedf5e17b3cef2"},{"name":"multiaccount_guardduty.png","path":"_docs/multiaccount_guardduty.png","sha":"c56b50bbb4c2a041366b430cada27b88aa02524b"},{"name":"ssh-grunt-architecture.png","path":"_docs/ssh-grunt-architecture.png","sha":"9ced8c68bcc7957e50aa016cad6c5b043a05b470"},{"name":"terminal-icon.png","path":"_docs/terminal-icon.png","sha":"df09d52d5b1176d7e231bab6c7712c3728e45c1b"}]},{"name":"examples","children":[{"name":"auto-update","children":[{"name":"README.md","path":"examples/auto-update/README.md","sha":"d7c630c4585bad7869d55bc6c62fca248eeb521a"},{"name":"auto-update-example.json","path":"examples/auto-update/auto-update-example.json","sha":"cafac0a781f8c675338226eee4b2413f5a4e88c1"}]},{"name":"aws-config","children":[{"name":"README.md","path":"examples/aws-config/README.md","sha":"becfeb3fe2afee81cad4476fd1300a5f26566e7e"},{"name":"main.tf","path":"examples/aws-config/main.tf","sha":"d07263ccd6a96cfbae8dd25fc40c48a364b06f04"},{"name":"outputs.tf","path":"examples/aws-config/outputs.tf","sha":"ddd32698f39772d663a2d9b8a6276260f5431068"},{"name":"vars.tf","path":"examples/aws-config/vars.tf","sha":"52da0c2fdcbaac128d94e3d7ea9ed58cccc396c7"}]},{"name":"aws-organizations-config-rules","children":[{"name":"README.md","path":"examples/aws-organizations-config-rules/README.md","sha":"ce4f53fc37936aec55b2a7e8f358378032dac0d7"},{"name":"main.tf","path":"examples/aws-organizations-config-rules/main.tf","sha":"1dae398d8ed745e3b103f3803b887e61daf7a600"},{"name":"outputs.tf","path":"examples/aws-organizations-config-rules/outputs.tf","sha":"4319400eb4190f58458f2dd9398225869ff08da3"},{"name":"variables.tf","path":"examples/aws-organizations-config-rules/variables.tf","sha":"c97f8c6bdaf4ab3f9e5f26332fc7ec983e881a53"}]},{"name":"aws-organizations","children":[{"name":"README.md","path":"examples/aws-organizations/README.md","sha":"1da3c2fc061fee6ee99564b8b2323ccf69f2c690"},{"name":"main.tf","path":"examples/aws-organizations/main.tf","sha":"7339da612ebccaa785820b0f1e6fb42d5f72e20a"},{"name":"outputs.tf","path":"examples/aws-organizations/outputs.tf","sha":"88ba8f4012111036775958d7dfad4eec6bf84be6"},{"name":"variables.tf","path":"examples/aws-organizations/variables.tf","sha":"59afc28c87bc3c49d11c6faf7e112643f0a95481"}]},{"name":"cloudtrail","children":[{"name":"README.md","path":"examples/cloudtrail/README.md","sha":"a99ca684008a985ba9246e21d480d5aadd8a63bf"},{"name":"main.tf","path":"examples/cloudtrail/main.tf","sha":"68df53c2b732e5febd5c5c5b06f1ba5330565095"},{"name":"outputs.tf","path":"examples/cloudtrail/outputs.tf","sha":"874c4bb56d8c5841ae5d23a14e8572aab2d4adea"},{"name":"vars.tf","path":"examples/cloudtrail/vars.tf","sha":"d760a1693fc326552b1a00a24eb9deb4fb1a0af3"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"examples/cross-account-iam-roles/README.md","sha":"e29b220abacd7b0ac30a9b30ae15014936e5fc9c"},{"name":"main.tf","path":"examples/cross-account-iam-roles/main.tf","sha":"6c3469ebb3be0666378962f57fb4c8055a1cb565"},{"name":"outputs.tf","path":"examples/cross-account-iam-roles/outputs.tf","sha":"459bd44da733bb20e65e17b4e13505c03bb109b7"},{"name":"vars.tf","path":"examples/cross-account-iam-roles/vars.tf","sha":"6e707ac515c0d83d32f8dccbfcfe22c66968351a"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"examples/custom-iam-entity/README.md","sha":"262e2508f648ec95f6bfd32626fbb2d887cfa988"},{"name":"main.tf","path":"examples/custom-iam-entity/main.tf","sha":"c1b2291bb49e98b1b4ac642920751f54bd59c2a3"},{"name":"outputs.tf","path":"examples/custom-iam-entity/outputs.tf","sha":"835eb64f431386925438cb2f63e48e413faee90c"},{"name":"vars.tf","path":"examples/custom-iam-entity/vars.tf","sha":"4af8f352ddc35352243f8e1ac0dd3fb50f230e11"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"examples/fail2ban/README.md","sha":"7f6b797884ac148c0e34fd6da0eb8224e2255d8a"},{"name":"fail2ban-example.json","path":"examples/fail2ban/fail2ban-example.json","sha":"dca42add6036b1e18f03aaa3f41c500b8767f31d"}]},{"name":"guardduty","children":[{"name":"README.md","path":"examples/guardduty/README.md","sha":"23c75950a1b8b33286b79bd5e9d853cee02d62ea"},{"name":"main.tf","path":"examples/guardduty/main.tf","sha":"1a78e0f65a6d34ef60aba882d36bc2154d214f28"},{"name":"outputs.tf","path":"examples/guardduty/outputs.tf","sha":"2bd66b0621e1ae1602857aa72583fefd219e0bb4"},{"name":"variables.tf","path":"examples/guardduty/variables.tf","sha":"13f4ba729e04c6882101637b9f8a842e13f33fcf"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"examples/iam-groups/README.md","sha":"019d8b433629eb895603e9b4d507b0bf479c3da5"},{"name":"main.tf","path":"examples/iam-groups/main.tf","sha":"3ef8b57b70f9f7f69a619749ce74430888bacebe"},{"name":"outputs.tf","path":"examples/iam-groups/outputs.tf","sha":"2901c51756a4b5d3ce1b040ff006849997650bb0"},{"name":"vars.tf","path":"examples/iam-groups/vars.tf","sha":"4cb4825d0b09ddb2bf1509fbe2e7506a974bae6a"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"examples/iam-user-password-policy/README.md","sha":"0af47723266b57ee39d55d74127ce0c8d902c466"},{"name":"main.tf","path":"examples/iam-user-password-policy/main.tf","sha":"ae22f0ac3173d5c0f191ec537725ea6230962fc5"},{"name":"vars.tf","path":"examples/iam-user-password-policy/vars.tf","sha":"fcdc47d795f3e20427b615e26ea2d60db7109a78"}]},{"name":"iam-users","children":[{"name":"README.md","path":"examples/iam-users/README.md","sha":"f8b65e9756e9f8c8703a854c1363be700b5fe8d9"},{"name":"main.tf","path":"examples/iam-users/main.tf","sha":"892c01c4392d7befe26bb0c7ff80ac0cbefa6563"},{"name":"outputs.tf","path":"examples/iam-users/outputs.tf","sha":"5c7e14248dcd792771f5956d6acc4cd2562887b5"},{"name":"variables.tf","path":"examples/iam-users/variables.tf","sha":"5c27b34c5b14c9222e196441c29576eed1f9fb31"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"examples/ip-lockdown/README.md","sha":"3962ba23a76d8f02e5c0ffc8cb71196991628e38"},{"name":"aws-example","children":[{"name":"README.md","path":"examples/ip-lockdown/aws-example/README.md","sha":"282005cb1cbc63ff7a642bac388a48d6cc3a2087"},{"name":"main.tf","path":"examples/ip-lockdown/aws-example/main.tf","sha":"948172240196c610e26957ca60640191fdfab0ad"},{"name":"outputs.tf","path":"examples/ip-lockdown/aws-example/outputs.tf","sha":"a175a78c9a10f9f2fd9d7c84f9b304aebc1bdb41"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/ip-lockdown/aws-example/user-data/user-data.sh","sha":"c6d308027737a434f4c96bc3eba5bd301897af62"}]},{"name":"vars.tf","path":"examples/ip-lockdown/aws-example/vars.tf","sha":"0db59e9a6307fa940ddf5258130be1c9504c86a5"}]},{"name":"ip-lockdown-sample.json","path":"examples/ip-lockdown/ip-lockdown-sample.json","sha":"2ccf2fe1a5b90bf4ab760ddd4f7714a8e1d43df6"},{"name":"local-test","children":[{"name":"README.md","path":"examples/ip-lockdown/local-test/README.md","sha":"3f0e1a6483ce3155bb04dbb9a4fd76ed41486d35"},{"name":"docker-compose.yml","path":"examples/ip-lockdown/local-test/docker-compose.yml","sha":"1495f82dca93d86fda60fb9dec7ded13852217fc"}]}]},{"name":"kms-master-key","children":[{"name":"README.md","path":"examples/kms-master-key/README.md","sha":"888367af686e25e12f987a100d9d593bc6ca71cc"},{"name":"main.tf","path":"examples/kms-master-key/main.tf","sha":"4e9b50a413bf0844e99281e8611c43479def780f"},{"name":"outputs.tf","path":"examples/kms-master-key/outputs.tf","sha":"bfeb4638cc0ad7540bf7e5258fdc4b73df4b7dc0"},{"name":"vars.tf","path":"examples/kms-master-key/vars.tf","sha":"f8b3c8eb30cdf87d4d7a8cda04dfc001f9872242"}]},{"name":"ntp","children":[{"name":"README.md","path":"examples/ntp/README.md","sha":"b676e802c1d196f6af204d14d143b80864bccd30"},{"name":"ntp-example.json","path":"examples/ntp/ntp-example.json","sha":"ab322bfd9042a9eaf3a9b2ec3418abd7188bc99a"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"examples/os-hardening/README.md","sha":"2518516d2aea0bc3f8d142f0ee8db181ab491d6e"},{"name":"packer-build.sh","path":"examples/os-hardening/packer-build.sh","sha":"7a35196064d70b06cd349d80b64a82b0affe18f0"},{"name":"packer","children":[{"name":"amazon-linux.json","path":"examples/os-hardening/packer/amazon-linux.json","sha":"e75442792ba2588a02bcc93a90eceade50e5a846"},{"name":"files","children":[{"name":"etc","children":[{"name":"fstab","path":"examples/os-hardening/packer/files/etc/fstab","sha":"cbf68cec68a92bc54f514dd0d6906f19cea857e6"}]}]}]},{"name":"terraform","children":[{"name":"main.tf","path":"examples/os-hardening/terraform/main.tf","sha":"0279c513bb48e2a5c966b19298066c04bf6b02f5"},{"name":"outputs.tf","path":"examples/os-hardening/terraform/outputs.tf","sha":"33083aed25a4ed6e323bf84381b896614814c9d1"},{"name":"vars.tf","path":"examples/os-hardening/terraform/vars.tf","sha":"60e4d2707d2f9edba702c9e8edd48ecfc30ae514"}]}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"examples/saml-iam-roles/README.md","sha":"e316aefb1fbf753baa8625c8063e239c799c52b3"},{"name":"main.tf","path":"examples/saml-iam-roles/main.tf","sha":"d0ed7822a55913c6c93391ee345b32a8912ee3ae"},{"name":"outputs.tf","path":"examples/saml-iam-roles/outputs.tf","sha":"1bd4fec9529cddfd2d3f61bba60f9dfb8b286c70"},{"name":"saml-metadata.xml","path":"examples/saml-iam-roles/saml-metadata.xml","sha":"88596cfde52242a43559c79216a1c60b2ea12903"},{"name":"vars.tf","path":"examples/saml-iam-roles/vars.tf","sha":"8673df83c8d53eadd579d9ac9ae536711561c746"}]},{"name":"ssh-grunt","children":[{"name":"houston","children":[{"name":"README.md","path":"examples/ssh-grunt/houston/README.md","sha":"ac5cb5fd6c2b55bf198ec4a9ec744d7070bf1875"},{"name":"main.tf","path":"examples/ssh-grunt/houston/main.tf","sha":"36cb5881d191d10eb656af4f1865e1ff6ab2c6e3"},{"name":"outputs.tf","path":"examples/ssh-grunt/houston/outputs.tf","sha":"978b316044d417393b70100a427de1068c4d417f"},{"name":"vars.tf","path":"examples/ssh-grunt/houston/vars.tf","sha":"34c542e9e1afc5dca29476a6ca40d27050aa02d2"}]},{"name":"iam","children":[{"name":"README.md","path":"examples/ssh-grunt/iam/README.md","sha":"d79ebb115ab2452ff3e3dfe57c893e319ffd05ab"},{"name":"main.tf","path":"examples/ssh-grunt/iam/main.tf","sha":"9287afd098898404fa5937818d65e4beaeeef691"},{"name":"outputs.tf","path":"examples/ssh-grunt/iam/outputs.tf","sha":"978b316044d417393b70100a427de1068c4d417f"},{"name":"vars.tf","path":"examples/ssh-grunt/iam/vars.tf","sha":"093c5c41394e22b8308abc432b610a87b75e7680"}]},{"name":"mock-houston","children":[{"name":"README.md","path":"examples/ssh-grunt/mock-houston/README.md","sha":"94c0ef92814db64b5f3d578a4ba7011fb058fedf"},{"name":"main.tf","path":"examples/ssh-grunt/mock-houston/main.tf","sha":"f2bf9160b336a66634bf0f62fb720e00c851412d"},{"name":"outputs.tf","path":"examples/ssh-grunt/mock-houston/outputs.tf","sha":"a25069b6b919c0fa31fc32c3bcf1d326f7c3d46c"},{"name":"vars.tf","path":"examples/ssh-grunt/mock-houston/vars.tf","sha":"984df0c1fa7e7c78d8755652c321dcd06543d030"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/ssh-grunt/packer/README.md","sha":"40dc203c7287544434c7f668ea58782afd2f2386"},{"name":"build-binary.sh","path":"examples/ssh-grunt/packer/build-binary.sh","sha":"6e96bfaa2b82f54ed3f1c5ffb8bb3ee0f99055e4"},{"name":"ssh-grunt-houston.json","path":"examples/ssh-grunt/packer/ssh-grunt-houston.json","sha":"cd3c4a1c2053c238720b0b4111efc3003db7e6cb"},{"name":"ssh-grunt-iam.json","path":"examples/ssh-grunt/packer/ssh-grunt-iam.json","sha":"ab7237cf73deccb4f94837046be2efa0d6df3ebf"}]}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"examples/ssm-healthchecks-iam-permissions/README.md","sha":"f1fe555a3aff887a966def0a1d3ccaff3dd826e7"},{"name":"main.tf","path":"examples/ssm-healthchecks-iam-permissions/main.tf","sha":"2ff78d1f7cc4a484319a74a62880b26ad679f8b5"},{"name":"outputs.tf","path":"examples/ssm-healthchecks-iam-permissions/outputs.tf","sha":"52688c3a4f1f8349500505fb8949fa0d21c385a3"},{"name":"vars.tf","path":"examples/ssm-healthchecks-iam-permissions/vars.tf","sha":"3fb4df876ccbcd8a3ff3af79efaf3479a74261bf"}]}]},{"name":"modules","children":[{"name":"_deprecated","children":[{"name":"custom-iam-group","children":[{"name":"README.md","path":"modules/_deprecated/custom-iam-group/README.md","sha":"e7a0ff783eb1052aa77fe50d7eaa6a06d2d82649"}]}]},{"name":"auto-update","children":[{"name":"README.adoc","path":"modules/auto-update/README.adoc","sha":"6aefe0ec50a3479dc08366ee6ace6f306eec8e7a"},{"name":"core-concepts.md","path":"modules/auto-update/core-concepts.md","sha":"a292e900ff20e205679c5a8a2b382081f338a41f"},{"name":"install-scripts","children":[{"name":"configure-auto-update","path":"modules/auto-update/install-scripts/configure-auto-update","sha":"bf7cdd18bf7c284056071c5e8b905adf2ac772d0"},{"name":"unattended_upgrades_config.txt","path":"modules/auto-update/install-scripts/unattended_upgrades_config.txt","sha":"abe88fd8a5037ce518bec69a6cac0699cb421d47"},{"name":"yum_cron_config.txt","path":"modules/auto-update/install-scripts/yum_cron_config.txt","sha":"e7ef4273f1b2af0c9c032fadaacd03130ba5ea78"}]},{"name":"install.sh","path":"modules/auto-update/install.sh","sha":"7c19fd0d04b11c358af64149b3169d6b2c5e3b58"}]},{"name":"aws-auth","children":[{"name":"AWS-AUTH-LASTPASS.md","path":"modules/aws-auth/AWS-AUTH-LASTPASS.md","sha":"f989822c9600fdb7dec2b67a929f8e4b49947aa8"},{"name":"README.md","path":"modules/aws-auth/README.md","sha":"334b60630b57378a8327981cc6581244a55c2e24"},{"name":"bin","children":[{"name":"aws-auth","path":"modules/aws-auth/bin/aws-auth","sha":"973c0ad62b2ab51cb18abf57d332869171480eff"}]},{"name":"install.sh","path":"modules/aws-auth/install.sh","sha":"ab9611d92d6822ceed981bdff3766724366037f0"}]},{"name":"aws-config","children":[{"name":"README.adoc","path":"modules/aws-config/README.adoc","sha":"dee8d8a1ccfe87003d2bcea8d9446a9d74dbc64a"},{"name":"core-concepts.md","path":"modules/aws-config/core-concepts.md","sha":"7f917cedb2e054a6e7ac4455a92240ff54f15987"},{"name":"main.tf","path":"modules/aws-config/main.tf","sha":"ef90c58cb569c459ef803156f3c991bd197fb503"},{"name":"outputs.tf","path":"modules/aws-config/outputs.tf","sha":"8c8c3d4c9fd8d408d34cda20b4302abc6401005b"},{"name":"vars.tf","path":"modules/aws-config/vars.tf","sha":"d65687709db3c58685573be6f9bfa4ae6cd05c5b"}]},{"name":"aws-organizations-config-rules","children":[{"name":"README.adoc","path":"modules/aws-organizations-config-rules/README.adoc","sha":"3d9e43acb1ca6db5571b6915a7980a4ae600e8c4"},{"name":"core-concepts.md","path":"modules/aws-organizations-config-rules/core-concepts.md","sha":"28f0d3a3325c97e0417c01671bbfc8a1b577498a"},{"name":"main.tf","path":"modules/aws-organizations-config-rules/main.tf","sha":"c67d58ca43acafce5f464b969980074631573490"},{"name":"outputs.tf","path":"modules/aws-organizations-config-rules/outputs.tf","sha":"9b78cd00ad242a02579147b390c6ad946620e1f0"},{"name":"variables.tf","path":"modules/aws-organizations-config-rules/variables.tf","sha":"1d8616a01e1db2c0672827920afef50d921fde6d"}]},{"name":"aws-organizations","children":[{"name":"README.adoc","path":"modules/aws-organizations/README.adoc","sha":"711b480a00245dc87a73e1c13a18867498eb6f7b"},{"name":"core-concepts.md","path":"modules/aws-organizations/core-concepts.md","sha":"ff397622de5a23581ae9792f4161aa0f1a1e1085"},{"name":"main.tf","path":"modules/aws-organizations/main.tf","sha":"0813956755b64165bddc6a9e883ee36e686079dd"},{"name":"outputs.tf","path":"modules/aws-organizations/outputs.tf","sha":"5d71fce583011b7351615821e6a888eb8f73906a"},{"name":"variables.tf","path":"modules/aws-organizations/variables.tf","sha":"4eac97565d5ab76a5e0c03cde4a9337001125156"}]},{"name":"cloudtrail","children":[{"name":"README.adoc","path":"modules/cloudtrail/README.adoc","sha":"cb56736b0eff0b10521fc5a42e6fd30e6660f165"},{"name":"core-concepts.md","path":"modules/cloudtrail/core-concepts.md","sha":"beed0fe088229f9c33e58ad62f213964f4571349"},{"name":"main.tf","path":"modules/cloudtrail/main.tf","sha":"7e98e2b4fa6e8142b28ae3ad3e7ddf1d91c6d54c"},{"name":"outputs.tf","path":"modules/cloudtrail/outputs.tf","sha":"20e598a564e2362f8e199d710699dedded900dfb"},{"name":"vars.tf","path":"modules/cloudtrail/vars.tf","sha":"59c5979a5bd9cfe391ac30e74e05709802a7858d"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"modules/cross-account-iam-roles/README.md","sha":"9185ef34dd25c4da8d907a180495c377fdbcff49"},{"name":"main.tf","path":"modules/cross-account-iam-roles/main.tf","sha":"d4b66fff9f7acee9999f6674a86441e09ca9b393"},{"name":"outputs.tf","path":"modules/cross-account-iam-roles/outputs.tf","sha":"73b26ff9804cb98404c81fa07e084042898482cf"},{"name":"vars.tf","path":"modules/cross-account-iam-roles/vars.tf","sha":"9a45fb999b66e057a1f23d2457c130963b7ddbdc"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"modules/custom-iam-entity/README.md","sha":"98ab8129418c43978d46d58896b6e64172995aba"},{"name":"main.tf","path":"modules/custom-iam-entity/main.tf","sha":"3a6866b29cf106c185bf7452595315666ec41398"},{"name":"outputs.tf","path":"modules/custom-iam-entity/outputs.tf","sha":"23cc0eb151da4ab2f146c89d9ad53dfc0e5c8c82"},{"name":"vars.tf","path":"modules/custom-iam-entity/vars.tf","sha":"28688569e02fb678fa65637d99bc2d379d48b767"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"modules/fail2ban/README.md","sha":"2301349c1b8775809b7362189a72655ce58b26fb"},{"name":"install-scripts","children":[{"name":"cloudwatch-metric.conf","path":"modules/fail2ban/install-scripts/cloudwatch-metric.conf","sha":"f78f5f55f585a6efe60a51a2c0f41e4a63f99749"},{"name":"configure-fail2ban","path":"modules/fail2ban/install-scripts/configure-fail2ban","sha":"19e281057d9e5ac91e7497441febfe633d231cd1"},{"name":"fail2ban.local","path":"modules/fail2ban/install-scripts/fail2ban.local","sha":"8292c4a18c825bfbf0a8d52cfb2746aa43f76ca4"},{"name":"filters.sshd.amazon.conf","path":"modules/fail2ban/install-scripts/filters.sshd.amazon.conf","sha":"093bb1baf88a1e283a43b7dd7d04c64992abecc6"},{"name":"jail.amazon.local","path":"modules/fail2ban/install-scripts/jail.amazon.local","sha":"a0aef73873e461c46ff63a4a3e5166ad3453c5e3"},{"name":"jail.amazon2.local","path":"modules/fail2ban/install-scripts/jail.amazon2.local","sha":"73993857d9a9424bb991666a58adc080024fe720"},{"name":"jail.ubuntu.local","path":"modules/fail2ban/install-scripts/jail.ubuntu.local","sha":"3ba6255a331696f384c0fcc385cd599687f60199"}]},{"name":"install.sh","path":"modules/fail2ban/install.sh","sha":"8f7b536f08506dabc2f6beb6cd5a50f7282168aa"},{"name":"user-data-scripts","children":[{"name":"configure-fail2ban-cloudwatch.sh","path":"modules/fail2ban/user-data-scripts/configure-fail2ban-cloudwatch.sh","sha":"64b7c27b8aa50302f4f7e35ebd8bbf93064bb777"}]}]},{"name":"guardduty-multi-region","children":[{"name":"README.adoc","path":"modules/guardduty-multi-region/README.adoc","sha":"b57160a6a71d3f7f5b1e1a7ec070bb47991b50ed"},{"name":"core-concepts.md","path":"modules/guardduty-multi-region/core-concepts.md","sha":"2eab0fd6c0548ba11104b6d778eb224df5622886"},{"name":"generate-main.py","path":"modules/guardduty-multi-region/generate-main.py","sha":"dbae0442bf30a95c97e3dc0c001d547472876d09"},{"name":"main.tf","path":"modules/guardduty-multi-region/main.tf","sha":"cbd2d875a68d852ef9ccb8ccc44ab85a06bba1b5"},{"name":"outputs.tf","path":"modules/guardduty-multi-region/outputs.tf","sha":"fd9b6d8e742af5b74d875ff6c796e289f32ba191"},{"name":"variables.tf","path":"modules/guardduty-multi-region/variables.tf","sha":"952903ce482d54464dd8454107f94d719e29c12c"}]},{"name":"guardduty-single-region","children":[{"name":"README.md","path":"modules/guardduty-single-region/README.md","sha":"abed69e3d0b928f47a80fdac8838f1efe354de4d"},{"name":"main.tf","path":"modules/guardduty-single-region/main.tf","sha":"6768c3c9d874062c45180bd0504948ac4285de4b"},{"name":"outputs.tf","path":"modules/guardduty-single-region/outputs.tf","sha":"0fd6fdc76d8bc1bb4c544028c802248999d309f7"},{"name":"variables.tf","path":"modules/guardduty-single-region/variables.tf","sha":"79d6e08f8992744de45d733a5ca58a97bb3991e2"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"modules/iam-groups/README.md","sha":"072baead8ab54d99d6c9232802c42522a9785c96"},{"name":"_docs","children":[{"name":"iam-user-access-to-billing.png","path":"modules/iam-groups/_docs/iam-user-access-to-billing.png","sha":"063f6cf8dc766b4d44942de89660e8ab9e1f3d63"},{"name":"my-account.png","path":"modules/iam-groups/_docs/my-account.png","sha":"387320200ed756ce4191afef87f0ab76e2c3d89a"}]},{"name":"main.tf","path":"modules/iam-groups/main.tf","sha":"09854772868b6351d46a29a3fa717804b1460f83"},{"name":"outputs.tf","path":"modules/iam-groups/outputs.tf","sha":"59cbe8c8417ce370880236a1596998f26bdf7f07"},{"name":"vars.tf","path":"modules/iam-groups/vars.tf","sha":"bb2c89d70441cf6e19b1df8d929cbbae1726bc6d"}]},{"name":"iam-policies","children":[{"name":"README.md","path":"modules/iam-policies/README.md","sha":"a6b450cb3dc9b7f0809223c37dcc79451ac573d9"},{"name":"main.tf","path":"modules/iam-policies/main.tf","sha":"8648ecc0eae6ced94c1b10197186f760760dbf8b"},{"name":"outputs.tf","path":"modules/iam-policies/outputs.tf","sha":"6e9206ee3029eb480b6ede1bf55e4ef15b0a0673"},{"name":"vars.tf","path":"modules/iam-policies/vars.tf","sha":"6204c2d4b1b7ec860b4cc5d4d206990a91dfdc9c"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"modules/iam-user-password-policy/README.md","sha":"5bea6ba56fc796be5b860549156a3a251735fc2a"},{"name":"main.tf","path":"modules/iam-user-password-policy/main.tf","sha":"9670fa0991057e03a72b72987c02a71e14611724"},{"name":"vars.tf","path":"modules/iam-user-password-policy/vars.tf","sha":"7c08eef88a7b13226cc4e18aa8338db64fdf83f0"}]},{"name":"iam-users","children":[{"name":"README.md","path":"modules/iam-users/README.md","sha":"9da56f1341cc4b4dc67038391ea8f52198bb3b21"},{"name":"main.tf","path":"modules/iam-users/main.tf","sha":"4d9e3efab76e509a9715fc276833254b9500169a"},{"name":"outputs.tf","path":"modules/iam-users/outputs.tf","sha":"67020f9214a30c4fddd150c67209a231d4aec00e"},{"name":"variables.tf","path":"modules/iam-users/variables.tf","sha":"3e49197e1f1b4251f5fff088974cb6e40c3677b0"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"modules/ip-lockdown/README.md","sha":"af806e396600aed64922eac8a3c7ab29a90f858d","toggled":true},{"name":"install.sh","path":"modules/ip-lockdown/install.sh","sha":"ce61af763bee9ad29754220ae24521f22c3a956f"},{"name":"ip-lockdown","path":"modules/ip-lockdown/ip-lockdown","sha":"93a0e1f5876e7de5778c595e8801d64986cb118b"}],"toggled":true},{"name":"kms-master-key","children":[{"name":"README.md","path":"modules/kms-master-key/README.md","sha":"8dfd4d4425c1c69f529e3965629738506a3dd2c1"},{"name":"main.tf","path":"modules/kms-master-key/main.tf","sha":"056fe2d8ed385f12ebfef79c0addc9e97e8b07c8"},{"name":"outputs.tf","path":"modules/kms-master-key/outputs.tf","sha":"b9bd1c5fa06b56d0bd78f7dab15c9f3233443bed"},{"name":"vars.tf","path":"modules/kms-master-key/vars.tf","sha":"47b6750ee300f7ab06bbad17212a859e66d4bf4a"}]},{"name":"ntp","children":[{"name":"README.md","path":"modules/ntp/README.md","sha":"c81ae3adf4d5af364729c5537414de1ada470af5"},{"name":"install.sh","path":"modules/ntp/install.sh","sha":"d31aa46b7f60f621a45166726559c8025efc1aa0"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"modules/os-hardening/README.md","sha":"3e864b0e9208eb6809adf41968c51e02fc233ee1"},{"name":"_docs","children":[{"name":"Helpful Email.md","path":"modules/os-hardening/_docs/Helpful Email.md","sha":"246a0b80b29f5ff3d2b2f4c5c170fc927e2d9dd7"}]},{"name":"ami-builder","children":[{"name":"files","children":[{"name":"user-data.sh.template","path":"modules/os-hardening/ami-builder/files/user-data.sh.template","sha":"4a3c87a19e1a4caa20b9b425b2a02101566d1166"}]},{"name":"main.tf","path":"modules/os-hardening/ami-builder/main.tf","sha":"3b23018276920ce33dab358eab79ef39e269fd98"},{"name":"outputs.tf","path":"modules/os-hardening/ami-builder/outputs.tf","sha":"8ce2ee598124ca50dd530a33aa60f5d1452a4a2b"},{"name":"vars.tf","path":"modules/os-hardening/ami-builder/vars.tf","sha":"c5927cfcebf6781b8b920d8fd7872f2992bb1501"}]},{"name":"partition-scripts","children":[{"name":"README.md","path":"modules/os-hardening/partition-scripts/README.md","sha":"a2986f1ab8f7470d2ba71d5270e5217d64cb10a3"},{"name":"bin","children":[{"name":"cleanup-volume","path":"modules/os-hardening/partition-scripts/bin/cleanup-volume","sha":"c7cbf3ecebd915235238557d27a1ce25e6fc10fa"},{"name":"partition-volume","path":"modules/os-hardening/partition-scripts/bin/partition-volume","sha":"f4f8566a1ef6aa4ff0c0268bd28721488aa6dfc4"}]},{"name":"install.sh","path":"modules/os-hardening/partition-scripts/install.sh","sha":"606776c068260836e8612a681ff4e3edc8abdb41"}]}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"modules/saml-iam-roles/README.md","sha":"fed1904b6d61d7d3fdee2931cfeb0cb79ec54523"},{"name":"main.tf","path":"modules/saml-iam-roles/main.tf","sha":"e4d97af0e2b812427faaf4e860b593eb9a113d30"},{"name":"outputs.tf","path":"modules/saml-iam-roles/outputs.tf","sha":"b2778906a16b2b513808aaea58c06cc3c9fc8c42"},{"name":"vars.tf","path":"modules/saml-iam-roles/vars.tf","sha":"981970525d6fd88bbaad9e72745f390795102333"}]},{"name":"ssh-grunt-selinux-policy","children":[{"name":"README.md","path":"modules/ssh-grunt-selinux-policy/README.md","sha":"8a934c81da696e32c365183b6a707594da99ba79"},{"name":"install.sh","path":"modules/ssh-grunt-selinux-policy/install.sh","sha":"3de871d61a9990e7f2c130f23afaf00daeb6bbef"},{"name":"ssh-grunt.pp","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.pp","sha":"7c7050f812cd0e3cb34e37b88c35fb09f369be7d"},{"name":"ssh-grunt.te","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.te","sha":"3317a71feaa633662a00b1dc05b1176cb85c9793"}]},{"name":"ssh-grunt","children":[{"name":".dockerignore","path":"modules/ssh-grunt/.dockerignore","sha":"a725465aee245635a2bd129af54858ed32c84cb8"},{"name":"Dockerfile","path":"modules/ssh-grunt/Dockerfile","sha":"6a6f21b4742f67f58be809a54ff48f2f6937ae14"},{"name":"Gopkg.lock","path":"modules/ssh-grunt/Gopkg.lock","sha":"f96af3ce514c0a60f18f7fb2b9620e1890e1e764"},{"name":"Gopkg.toml","path":"modules/ssh-grunt/Gopkg.toml","sha":"529ca4ea4ef756052c92315e07b2fbdb92720237"},{"name":"README.adoc","path":"modules/ssh-grunt/README.adoc","sha":"89e1ff7db5620809af182703c45f87601e59a766"},{"name":"_ci","children":[{"name":"build-and-test.sh","path":"modules/ssh-grunt/_ci/build-and-test.sh","sha":"903993de2d7bcde19d472fa5e510ee862d4b10c3"},{"name":"test.sh","path":"modules/ssh-grunt/_ci/test.sh","sha":"235603944316e81f1da1cc0248b80beecf99cb27"}]},{"name":"_docs","children":[{"name":"houston-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/houston-upload-ssh-key.png","sha":"e32519497262f9796a4ea46c53953923975cbd7d"},{"name":"iam-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/iam-upload-ssh-key.png","sha":"8bb1e793185eb0b4822023552899874394342f21"}]},{"name":"core-concepts.md","path":"modules/ssh-grunt/core-concepts.md","sha":"34a386f0b38bbefa147a2890ab80bc2960a7ff9e"},{"name":"docker-compose.yml","path":"modules/ssh-grunt/docker-compose.yml","sha":"0609cfaadf18bb9eb8ff13459cf9f0f10928765e"},{"name":"scripts","children":[{"name":"build-linux-binary.sh","path":"modules/ssh-grunt/scripts/build-linux-binary.sh","sha":"fc74dd9990e9f4526ae2e7cd13e338d4fd0f11c4"},{"name":"run.sh","path":"modules/ssh-grunt/scripts/run.sh","sha":"050027e034cd03e53625986eb0f331c043492cf6"}]},{"name":"src","children":[{"name":"cli.go","path":"modules/ssh-grunt/src/cli.go","sha":"f72f670dcf0ae2e0bcb8ed02e91c706a5e8c3be0"},{"name":"cli_test.go","path":"modules/ssh-grunt/src/cli_test.go","sha":"a65fc7945a800263b6ad153cc0c4354551814f0c"},{"name":"collections.go","path":"modules/ssh-grunt/src/collections.go","sha":"abb602cb1a1df835caf2cfd66dfc058aed75e3ee"},{"name":"cron.go","path":"modules/ssh-grunt/src/cron.go","sha":"ba1ada9e91762b66206025cfc281bea8f35498b0"},{"name":"cron_test.go","path":"modules/ssh-grunt/src/cron_test.go","sha":"0300a91bf9e0b536a2061a2f85c69542f86966a6"},{"name":"errors.go","path":"modules/ssh-grunt/src/errors.go","sha":"0e6361f5d7773d32f7fc9ff48a6d54bafd33508e"},{"name":"file.go","path":"modules/ssh-grunt/src/file.go","sha":"edf84f18ffa9c25038e02c5eb74213a413ee5ad3"},{"name":"groups.go","path":"modules/ssh-grunt/src/groups.go","sha":"fba9e95114aa7aa723913e855b424b76952d5c7b"},{"name":"groups_test.go","path":"modules/ssh-grunt/src/groups_test.go","sha":"c0b0bef6dc58bc640e689c0eab284fe3767359b5"},{"name":"houston.go","path":"modules/ssh-grunt/src/houston.go","sha":"2ba5973deb8a5431946ed0fc401bdc06028d91d7"},{"name":"houston_test.go","path":"modules/ssh-grunt/src/houston_test.go","sha":"088b51302fe48341ba83ac05107910cd5269e50f"},{"name":"iam.go","path":"modules/ssh-grunt/src/iam.go","sha":"dafbc8fbb732d2d6212cade786eb13d7215b9862"},{"name":"iam_test.go","path":"modules/ssh-grunt/src/iam_test.go","sha":"4f69cd90234d025c4368421ca7ce3f7818a52165"},{"name":"logger.go","path":"modules/ssh-grunt/src/logger.go","sha":"e62f5712a083ee1006911a23ee71e03ebd3622cf"},{"name":"main.go","path":"modules/ssh-grunt/src/main.go","sha":"89fe7e90c47dc8b2527e1c8addebca5e55ccfb35"},{"name":"shell.go","path":"modules/ssh-grunt/src/shell.go","sha":"070b861e82973d6cb7b09b91f99ad3055035bb1c"},{"name":"ssh.go","path":"modules/ssh-grunt/src/ssh.go","sha":"7eddcb4fa3fb3cf51ffa6221bc6552a7d57cfa98"},{"name":"ssh_test.go","path":"modules/ssh-grunt/src/ssh_test.go","sha":"f095f9d6d3618ac50c2ef8e65d6be4a2bff26283"},{"name":"string.go","path":"modules/ssh-grunt/src/string.go","sha":"fc61ca9625f9d654c2b3576ff932db1b90ae9dfe"},{"name":"string_test.go","path":"modules/ssh-grunt/src/string_test.go","sha":"a51e495942cd4364b1b2a511fa68fc4b1dde1237"},{"name":"sync.go","path":"modules/ssh-grunt/src/sync.go","sha":"b5d5bdbc0c1b52fa0008190eb3f97bc99109c3dd"},{"name":"sync_test.go","path":"modules/ssh-grunt/src/sync_test.go","sha":"f0a46bd471c56bde16cb822f8281e975c8aec848"},{"name":"url.go","path":"modules/ssh-grunt/src/url.go","sha":"12ff56939763979f94a8cb6dc35c9775ce0d3474"},{"name":"url_test.go","path":"modules/ssh-grunt/src/url_test.go","sha":"fe77a4563549dc6e0148452c1b03f19b6c0d9dcc"},{"name":"users.go","path":"modules/ssh-grunt/src/users.go","sha":"a40c2d3f26f69a93dac83da731a2407d1b89a083"},{"name":"users_test.go","path":"modules/ssh-grunt/src/users_test.go","sha":"3473766223be802090c695568e696149442ce112"}]}]},{"name":"ssh-iam","children":[{"name":"README.md","path":"modules/ssh-iam/README.md","sha":"4aa06d6a729e53384b6d2a43c06ee38807092f32"}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"modules/ssm-healthchecks-iam-permissions/README.md","sha":"005260025ae51ed9e13f1b6c6f9d737a02d5db68"},{"name":"main.tf","path":"modules/ssm-healthchecks-iam-permissions/main.tf","sha":"6b6b91fa59bc86de7521264ff34217cc88ae3842"},{"name":"vars.tf","path":"modules/ssm-healthchecks-iam-permissions/vars.tf","sha":"731aa1c2f275f723272114ef0357a8c3a246b47e"}]},{"name":"tls-cert-private","children":[{"name":"Dockerfile","path":"modules/tls-cert-private/Dockerfile","sha":"028aa72d434cf4bf28dff92d293e35a85b19fcf0"},{"name":"README.md","path":"modules/tls-cert-private/README.md","sha":"c6996ec25d7d9b1ab4f79d8164a14e86e1ac844f"},{"name":"docker-compose.yml","path":"modules/tls-cert-private/docker-compose.yml","sha":"f872026e8d51ceaab2e1c11cc9cf9c35ba81f29c"},{"name":"files","children":[{"name":"openssl.cnf","path":"modules/tls-cert-private/files/openssl.cnf","sha":"2542542c80ab180c47d3e0a27dbded65bed572de"}]},{"name":"scripts","children":[{"name":"generate-ca-keypair.sh","path":"modules/tls-cert-private/scripts/generate-ca-keypair.sh","sha":"395ee97c0e499c660efac5c5cf1f79dfcdbb69f8"},{"name":"generate-tls-keypair.sh","path":"modules/tls-cert-private/scripts/generate-tls-keypair.sh","sha":"f1c3577437fd589087704a9c003de416cb87d232"},{"name":"main.sh","path":"modules/tls-cert-private/scripts/main.sh","sha":"dc7af965ffb783bbef449010818e69294fa2ef75"}]}]}],"toggled":true},{"name":"test","children":[{"name":"Gopkg.lock","path":"test/Gopkg.lock","sha":"551944ad10e882e62590a33f90f60e480be80d4a"},{"name":"Gopkg.toml","path":"test/Gopkg.toml","sha":"b1dfa116f26fb4b7d7fe6a524e1b5bb074f67365"},{"name":"README.md","path":"test/README.md","sha":"62b43a1b4268805a0a1fdcecd51f4068b07d37b1"},{"name":"auto_update_test.go","path":"test/auto_update_test.go","sha":"1d2a5906849c2ae62c65c0c5ce42a9ba20201f82"},{"name":"aws_config_test.go","path":"test/aws_config_test.go","sha":"df32a8831f033d011743adbc70a679a287f8d899"},{"name":"aws_organizations_config_rules_test.go","path":"test/aws_organizations_config_rules_test.go","sha":"873b1ea607fe800910a02aa5b5d72e1709e3d724"},{"name":"aws_organizations_test.go","path":"test/aws_organizations_test.go","sha":"2eead85751ec47bd1008b795621fa5cff4a2a262"},{"name":"cloudtrail_test.go","path":"test/cloudtrail_test.go","sha":"bfd0e35b8f08e14a55026de1e72a97e6e7f15342"},{"name":"cross_account_iam_roles_test.go","path":"test/cross_account_iam_roles_test.go","sha":"b7dd54b59acb03cb0c5a7581e15de61f4b901c36"},{"name":"custom_iam_entity_test.go","path":"test/custom_iam_entity_test.go","sha":"390cace437fd609e2ad5d81c77d7ffacb0d7555e"},{"name":"fail2ban_test.go","path":"test/fail2ban_test.go","sha":"ac5c2f060a8aefc96d6ddd60630b6c8826182dfc"},{"name":"guardduty_test.go","path":"test/guardduty_test.go","sha":"73372ee85a4f78efd307d9a6d08fd09f41d781ed"},{"name":"iam_groups_test.go","path":"test/iam_groups_test.go","sha":"21d66e7dcdf43cb7725be7ed4c7c8c7eb34dab79"},{"name":"iam_ssm_test.go","path":"test/iam_ssm_test.go","sha":"48e1870a8882f4ad88bd5fb7fb018b33baee82a6"},{"name":"iam_user_password_policy_test.go","path":"test/iam_user_password_policy_test.go","sha":"1fb35eea4e93bd26aad51804094dda325a4893b0"},{"name":"iam_users_test.go","path":"test/iam_users_test.go","sha":"e4934196d3df5d2a506b92fcae3f65b6309eebb8"},{"name":"ip-lockdown-test-scripts","children":[{"name":"allow-several-users.sh","path":"test/ip-lockdown-test-scripts/allow-several-users.sh","sha":"2f75dbe0880ed0907b43db58b6ac030a0d0e9bd4"},{"name":"common.sh","path":"test/ip-lockdown-test-scripts/common.sh","sha":"cdfe11aca76607a4feaf254a394f32273b738c5c"},{"name":"index.html","path":"test/ip-lockdown-test-scripts/index.html","sha":"557db03de997c86a4a028e1ebd3a1ceb225be238"},{"name":"restrict-all-users.sh","path":"test/ip-lockdown-test-scripts/restrict-all-users.sh","sha":"a37c1ffc90f2532e7cc3f9f5a859b75c98661dc6"},{"name":"restrict-one-user.sh","path":"test/ip-lockdown-test-scripts/restrict-one-user.sh","sha":"4214e1c15102f4568d1e995aa82add46ee430237"},{"name":"sanity-check.sh","path":"test/ip-lockdown-test-scripts/sanity-check.sh","sha":"542ed72f4f0952ace67c9cbf2e5ac07e81e6870c"}]},{"name":"ip_lockdown_test.go","path":"test/ip_lockdown_test.go","sha":"8a523ee4446d8f114647bbe76102cf3b755e30d4"},{"name":"kms_master_key_test.go","path":"test/kms_master_key_test.go","sha":"f372cb4e061299de80e2d9b1594d3cd7aa5cf88b"},{"name":"ntp_test.go","path":"test/ntp_test.go","sha":"e4ec90a5d39ed012b87a32d5b0b27b299cd746e8"},{"name":"os_hardening_test.go","path":"test/os_hardening_test.go","sha":"d7b1de96445a8474e323bcde272c909379d11a10"},{"name":"saml_iam_roles_test.go","path":"test/saml_iam_roles_test.go","sha":"78ec14c02892e1cb3d7b5e36756bca532ae27dd2"},{"name":"ssh_grunt_houston_test.go","path":"test/ssh_grunt_houston_test.go","sha":"b8b4d0786e13432f86745acc8e4ae468561c17a7"},{"name":"ssh_grunt_iam_test.go","path":"test/ssh_grunt_iam_test.go","sha":"30c2bf25c90aef2a0f22cf5ed789af9e45e6c86e"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"018ca09c9888db5325fefb9774bad0b5f14670a0"},{"name":"test_helpers_aws_auth.go","path":"test/test_helpers_aws_auth.go","sha":"5be2449c8274695a1f27c235f4c70cbb2416b591"},{"name":"tls_cert_private_test.go","path":"test/tls_cert_private_test.go","sha":"5696a2f5113288b1d4da4327c2a44137ad662ecd"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"ip-lockdown-module\">ip-lockdown Module</h1><div class=\"preview__body--border\"></div><p>This module can lock down specified outgoing ip addresses on a Linux server such that only specific OS users can access them.\nThe main motivation for locking down EC2 metadata is as follows:</p>\n<ol>\n<li>EC2 metadata gives you the credentials you need to assume any IAM role associated with the EC2 instance, and thereby, get all the permissions available in that IAM role.</li>\n<li>Locking down the metadata to, for example, only the root user, makes sure that if a hacker breaks into your server with a privileged user, they cannot get the full power of the IAM role.</li>\n</ol>\n<p>This module has been tested specifically with Ubuntu, but will probably work with any Debian distribution that uses <a href=\"http://ipset.netfilter.org/iptables.man.html\" class=\"preview__body--description--blue\" target=\"_blank\">iptables</a>.</p>\n<h4 id=\"example\">Example</h4>\n<p>In the example below we restrict access to <a href=\"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html\" class=\"preview__body--description--blue\" target=\"_blank\">ec2-instance-metadata endpoint</a> to the users <code>foo</code>, <code>bar</code> and <code>root</code>. All other users on the instance will be blocked from access.</p>\n<p><code>./ip-lockdown 169.254.169.254 foo bar root</code></p>\n<p>Normally users make a <code>curl</code> call to get metadata like the AWS region or credentials associated with this EC2 Instance's IAM Role. Following the invocation of ip-lockdown, only users foo, bar, and root can query that data.</p>\n<p>The complete example of using terraform to deploy a generated AMI into your AWS account and automatically invoke <code>ip-lockdown</code> from the <code>User Data</code> is also available in the <a href=\"/repos/v0.25.1/module-security/examples/ip-lockdown/aws-example\" class=\"preview__body--description--blue\">examples</a> folder.</p>\n<h4 id=\"installation\">Installation</h4>\n<p>To use this module, you just need to:</p>\n<ol>\n<li>Install <a href=\"/repos/bash-commons\" class=\"preview__body--description--blue\">bash-commons</a> on your servers.</li>\n<li>Install the <code>ip-lockdown</code> script on your servers.</li>\n</ol>\n<p>The best way to do that is to use the <a href=\"/repos/gruntwork-installer\" class=\"preview__body--description--blue\">Gruntwork Installer</a> in a\n<a href=\"https://www.packer.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Packer</a> template (make sure to replace <code><BASH_COMMONS_VERSION></code> and\n<code><MODULE_SECURITY_VERSION></code> below with the latest versions from the <a href=\"#open_modal\" class=\"preview__body--description--blue\">bash-commons releases\npage</a> and <a href=\"#open_modal\" class=\"preview__body--description--blue\">module-security releases\npage</a>, respectively):</p>\n<pre>gruntwork-install --<span class=\"hljs-class\"><span class=\"hljs-keyword\">module</span>-<span class=\"hljs-title\">name</span> <span class=\"hljs-title\">bash</span>-<span class=\"hljs-title\">commons</span> --<span class=\"hljs-title\">tag</span> <BASH_COMMONS_VERSION> --<span class=\"hljs-title\">repo</span> <span class=\"hljs-title\">https</span>://<span class=\"hljs-title\">github</span>.<span class=\"hljs-title\">com</span>/<span class=\"hljs-title\">gruntwork</span>-<span class=\"hljs-title\">io</span>/<span class=\"hljs-title\">bash</span>-<span class=\"hljs-title\">commons</span></span>\ngruntwork-install --<span class=\"hljs-class\"><span class=\"hljs-keyword\">module</span>-<span class=\"hljs-title\">name</span> <span class=\"hljs-title\">ip</span>-<span class=\"hljs-title\">lockdown</span> --<span class=\"hljs-title\">tag</span> <MODULE_SECURITY_VERSION> --<span class=\"hljs-title\">repo</span> <span class=\"hljs-title\">https</span>://<span class=\"hljs-title\">github</span>.<span class=\"hljs-title\">com</span>/<span class=\"hljs-title\">gruntwork</span>-<span class=\"hljs-title\">io</span>/<span class=\"hljs-title\">module</span>-<span class=\"hljs-title\">security</span></span>\n</pre>\n<table>\n<thead>\n<tr>\n<th>Option</th>\n<th>Description</th>\n<th>Required</th>\n<th>Example</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td>IP</td>\n<td>IP address that will be locked down (outgoing access will be disabled) for all <em>but</em> the users specified in subequent <code>[<USER> ... ]]</code> arguments</td>\n<td>Required</td>\n<td>169.254.169.254</td>\n</tr>\n<tr>\n<td>USER</td>\n<td>Space separated whitelist of users who will be allowed outgoing access to specified ip address</td>\n<td>Optional</td>\n<td>root (or any other OS user name)</td>\n</tr>\n</tbody>\n</table>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<p>This script will insert the necessary rules to achieve the proper end result of only allowing the specified users to access the locked ips.</p>\n<ul>\n<li>It will <strong>NOT</strong> modify your existing rules</li>\n<li>It will <strong>NOT</strong> add multiple identical rules if you keep running the script (it is idempotent)</li>\n<li>It will automatically add rules at the correct rule index if you chose to add more users later or to add more IP addresses later.</li>\n</ul>\n<h4 id=\"general-iptables-overview\">General iptables overview</h4>\n<p>The <code>ip-lockdown</code> script uses <a href=\"http://ipset.netfilter.org/iptables.man.html\" class=\"preview__body--description--blue\" target=\"_blank\">iptables</a> under the hood. The iptables application works by defining rules that can then be applied to each outgoing packet. The rules are applied in order (<code>sudo iptables -L line-num</code> to see your current rules as well as their <em>rule-indicies</em>).</p>\n<p>In order to block access to a specific IP address for a specific user you need 2 rules.</p>\n<ol>\n<li>A rule to ALLOW packets going to <code>YYY</code> owned by user <code>foo</code></li>\n<li>A rule to BLOCK packets going to <code>YYY</code></li>\n</ol>\n<p>The ordering of the rules is important as <a href=\"http://ipset.netfilter.org/iptables.man.html\" class=\"preview__body--description--blue\" target=\"_blank\">iptables</a> will go through the rules list until it finds a matching rule. As soon as a matching rule is found none of the subsequent rules are evaluated.</p>\n<p>In the above example, reversing those two rules would result in all access to <code>YYY</code> blocked even though there is a subsequent rule to allow <code>foo</code> to access.</p>\n<h4 id=\"why-not-use-groups\">Why not use groups?</h4>\n<p>In an ideal scenario, rather than adding one allow rule per user, we would just create a new <code>canAccessIP</code> group, and add our required users to that group. Then we would just need two iptables rules to manage access.</p>\n<p>Unfortunately iptables suffers from the limitation that it will <em>only</em> compare the <strong>primary</strong> group of the user rather than <strong>all</strong> of the groups that users belongs to. This limitation is the reason the ip-lockdown script has to create rules per user. As we do not want to modify each user and update their primary user group in case that this causes issues for some other process.</p>\n<p>For reference of this limitation see the following:</p>\n<ul>\n<li><a href=\"https://elixir.bootlin.com/linux/latest/source/net/netfilter/xt_owner.c\" class=\"preview__body--description--blue\" target=\"_blank\">iptables user/group matching module code</a></li>\n<li><a href=\"https://serverfault.com/questions/742693/iptables-match-output-rule-for-supplementary-groups\" class=\"preview__body--description--blue\" target=\"_blank\">iptables-match-output-rule-for-supplementary-groups</a></li>\n</ul>\n","repoName":"module-security","repoRef":"v0.22.2","serviceDescriptor":{"serviceName":"ip-lockdown","serviceRepoName":"module-security","serviceRepoOrg":"gruntwork-io","serviceMainReadmePath":"/modules/ip-lockdown","cloudProviders":["aws","gcp"],"description":"Lock down specified outgoing ip addresses on a Linux server such that only specific OS users can access them. Used to protect metadata endpoints.","imageUrl":"ip-lockdown.png","licenseType":"subscriber","technologies":["Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Intrusion prevention","fileName":"README.md","filePath":"/modules/ip-lockdown","title":"Repo Browser: ip-lockdown","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}