Skip to content

Commit

Permalink
Merge pull request #86 from JDBraun/aws-jd
Browse files Browse the repository at this point in the history
update 3306 drop fw rule and README
  • Loading branch information
jdbraun-db authored Aug 28, 2024
2 parents 3324c37 + 03d6ff3 commit 6253430
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 3 deletions.
4 changes: 2 additions & 2 deletions aws/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Security Reference Architecture Template
# Security Reference Architectures (SRA) - Terraform Templates


## Introduction
Expand All @@ -21,7 +21,7 @@ There are four separate operation modes you can choose for the underlying networ

- **Sandbox**: Sandbox or open egress. Selecting 'sandbox' as the operation mode allows traffic to flow freely to the public internet. This mode is suitable for sandbox or development scenarios where data exfiltration protection is of minimal concern, and developers need to access public APIs, packages, and more.

- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. **NOTE**: Due to a limitation in the AWS Network Firewall's ability to use fully qualified domain names for non-HTTP/HTTPS traffic, an external data source is required for the external Hive metastore. For production scenarios, we recommend using Unity Catalog or self-hosted Hive metastores.
- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. **NOTE**: Due to a limitation in the AWS Network Firewall's ability to use fully qualified domain names for non-HTTP/HTTPS traffic, an external data source is required for the external Hive metastore. For sensitive production workloads, it is recommended to use isolated operation mode and Unity Catalog, a self-hosted Hive metastore, or to explore other firewall services to address AWS Network Firewall's limitations.

- **Isolated**: Isolated or no egress. Opting for 'isolated' as the operation mode prevents any traffic to the public internet. Traffic is limited to AWS private endpoints, either to AWS services or the Databricks control plane. This mode should be used in cases where access to the public internet is completely unsupported. **NOTE**: Apache Derby Metastore will be required for clusters and non-serverless SQL Warehouses. For more information, please view this [knowledge article](https://kb.databricks.com/metastore/set-up-embedded-metastore).

Expand Down
17 changes: 16 additions & 1 deletion aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ resource "aws_networkfirewall_rule_group" "databricks_fqdn_allowlist" {
}
}
}
}
}
tags = {
Name = "${var.resource_prefix}-${var.region}-databricks-fqdn-allowlist"
Project = var.resource_prefix
Expand Down Expand Up @@ -220,6 +220,21 @@ resource "aws_networkfirewall_rule_group" "databricks_metastore_allowlist" {
settings = ["1"]
}
}
stateful_rule {
action = "DROP"
header {
destination = "0.0.0.0/0"
destination_port = 3306
direction = "FORWARD"
protocol = "TCP"
source = "ANY"
source_port = "ANY"
}
rule_option {
keyword = "sid"
settings = ["2"]
}
}
}
}
tags = {
Expand Down

0 comments on commit 6253430

Please sign in to comment.