FSx Access Control with VPC

Description

FSx is accessed through ENI (Elastic Network Interface)

FSx for Windows File Server supports VPC sharing

Security Groups

Best practice from AWS
https://docs.aws.amazon.com/fsx/latest/WindowsGuide/limit-access-security-groups.html

Ports and Role

Protocol	Ports	Role
TCP/UDP	53	Domain Name System (DNS)
TCP/UDP	88	Kerberos authentication
TCP/UDP	464	Change/Set password
TCP/UDP	389	Lightweight Directory Access Protocol (LDAP)
UDP	123	Network Time Protocol (NTP)
TCP	135	Distributed Computing Environment / End Point Mapper (DCE / EPMAP)
TCP	445	Directory Services SMB file sharing
TCP	636	Lightweight Directory Access Protocol over TLS/SSL (LDAPS)
TCP	3268	Microsoft Global Catalog
TCP	3269	Microsoft Global Catalog over SSL
TCP	5985	WinRM 2.0 (Microsoft Windows Remote Management)
TCP	9389	Microsoft AD DS Web Services, PowerShell
TCP	49152 – 65535	Ephemeral ports for RPC

CloudFormation FSx SG

AWSTemplateFormatVersion: '2010-09-09'
Description: >-
   FSx Security Group Best Practice 


##########################################################################
# METADATA                                                               #
##########################################################################
# Metadata:

#   QuickStartDocumentation:
#     EntrypointName: "Parameters for Security Group FSx"

#   AWS::CloudFormation::Interface:
#     ParameterGroups:
#       - Label:
#           default: ---- PARAMETERS  ----
#         Parameters:
#           - Region
#           - Owner
#           - VPC
#           - SGEC2
#           - SGLAMBDA
#           - SGALB


##########################################################################
# PARAMETERS                                                             #
##########################################################################

Parameters:
  
  Owner:
    Type: String
    Default: Michael
    AllowedValues:
      - Ariel
      - Arik
      - Michael

  Region:
    Type: String
    Default: EUROPE - Ireland
    AllowedValues:
      - EUROPE - Ireland
      - USA - N. Virginia

  # VPC:
  #   Type: AWS::EC2::VPC::Id
  #   Default: vpc-02**********

  SGEC2:
    Type: AWS::EC2::SecurityGroup::GroupName
    Default: SG-EC2
  
  SGLAMBDA:
    Type: AWS::EC2::SecurityGroup::GroupName
    Default: SG-LAMBDA
    
  SGALB:
    Type: AWS::EC2::SecurityGroup::GroupName
    Default: SG-ALB




##########################################################################
# RESOURCES                                                            
##########################################################################
Resources:

##### FSx-Security Group ##############################################   
            
  BestPracticeFSxSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: BestP-FSx-SG
      GroupDescription: Best-Practice-FSx-SG
      VpcId: vpc-021643fc71e5b3263

      SecurityGroupIngress:

      - IpProtocol: tcp
        FromPort: 5985
        ToPort: 5985
        SourceSecurityGroupId: 
          GetAtt SGEC2.GroupId
        Description: From EC2 SG
        
      - IpProtocol: tcp
        FromPort: 5986
        ToPort: 5986
        SourceSecurityGroupId: 
          GetAtt SGEC2.GroupId
        Description: From EC2 SG
      
      - IpProtocol: tcp
        FromPort: 445
        ToPort: 445
        SourceSecurityGroupId: 
          GetAtt SGEC2.GroupId
        Description: From EC2 SG

      - IpProtocol: tcp
        FromPort: 445
        ToPort: 445
        SourceSecurityGroupId:
          GetAtt SGLAMBDA.GroupId
        Description: From LAMBDA SG

      - IpProtocol: tcp
        FromPort: 445
        ToPort: 445
        SourceSecurityGroupId: 
          GetAtt SGALB.GroupId
        Description: From ALB SG



      SecurityGroupEgress:
      
      - IpProtocol: tcp
        FromPort: 445
        ToPort: 445
        CidrIp: 0.0.0.0/0
        
      - IpProtocol: tcp
        FromPort: 53
        ToPort: 53
        CidrIp: 0.0.0.0/0

      - IpProtocol: udp
        FromPort: 53
        ToPort: 53
        CidrIp: 0.0.0.0/0

      - IpProtocol: tcp
        FromPort: 88
        ToPort: 88
        CidrIp: 0.0.0.0/0

      - IpProtocol: udp
        FromPort: 88
        ToPort: 88
        CidrIp: 0.0.0.0/0
        
      - IpProtocol: tcp
        FromPort: 464
        ToPort: 464
        CidrIp: 0.0.0.0/0

      - IpProtocol: udp
        FromPort: 464
        ToPort: 464
        CidrIp: 0.0.0.0/0

      - IpProtocol: tcp
        FromPort: 389
        ToPort: 389
        CidrIp: 0.0.0.0/0

      - IpProtocol: udp
        FromPort: 389
        ToPort: 389
        CidrIp: 0.0.0.0/0

      - IpProtocol: udp
        FromPort: 123
        ToPort: 123
        CidrIp: 0.0.0.0/0

      - IpProtocol: tcp
        FromPort: 135
        ToPort: 135
        CidrIp: 0.0.0.0/0

      - IpProtocol: tcp
        FromPort: 636
        ToPort: 636
        CidrIp: 0.0.0.0/0

      - IpProtocol: tcp
        FromPort: 3268
        ToPort: 3268
        CidrIp: 0.0.0.0/0

      - IpProtocol: tcp
        FromPort: 3269
        ToPort: 3269
        CidrIp: 0.0.0.0/0

      - IpProtocol: tcp
        FromPort: 5985
        ToPort: 5985
        CidrIp: 0.0.0.0/0
        
      - IpProtocol: tcp
        FromPort: 5986
        ToPort: 5986
        CidrIp: 0.0.0.0/0

      - IpProtocol: tcp
        FromPort: 9389
        ToPort: 9389
        CidrIp: 0.0.0.0/0

      - IpProtocol: tcp
        FromPort: 49152
        ToPort: 65535
        CidrIp: 0.0.0.0/0

      Tags:
      - Key: Name
        Value: Best-Practice-FSx-SG
      - Key: Owner
        Value: DevOps-!Ref Owner


##########################################################################

Outputs:

  Owner:
    Description: Owner
    Value: DevOps - !Ref Owner

  StackAccount:
    Description: Your Account ID
    Value:
      Ref AWS::AccountId
  
  Region:
    Description: Region
    Value: 
      Ref Region

  VPC:
    Description: VPC
    Value: 
      Ref VPC

Category: AWS Topics