A security group to allow a Wazuh agent on an EC2 instance to communicate with the outside. This is implemented as a singleton, meaning only one resource will be created in a stack. If there are multiple apps in the stack, they will re-use this resource.

The logicalId will always be "WazuhSecurityGroup".

Will create a resource like this:

WazuhSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Allow outbound traffic from wazuh agent to manager
    VpcId:
      Ref: VpcId
    SecurityGroupEgress:
    - Description: Wazuh event logging
      IpProtocol: tcp
      FromPort: 1514
      ToPort: 1514
      CidrIp: 0.0.0.0/0
    - Description: Wazuh agent registration
      IpProtocol: tcp
      FromPort: 1515
      ToPort: 1515
      CidrIp: 0.0.0.0/0

Which will then get used like this:

InstanceRoleForAppA:
  Type: AWS::IAM::Role
  Properties:
    SecurityGroups:
    - Ref: WazuhSecurityGroup

InstanceRoleForAppB:
  Type: AWS::IAM::Role
  Properties:
    SecurityGroups:
    - Ref: WazuhSecurityGroup

Usage within a stack:

GuWazuhAccess.getInstance(this, vpc);

Hierarchy (view full)

Properties

allowAllIpv6Outbound: boolean

Whether the SecurityGroup has been configured to allow all outbound ipv6 traffic

allowAllOutbound: boolean

Whether the SecurityGroup has been configured to allow all outbound traffic

canInlineRule = false

Whether the rule can be inlined into a SecurityGroup or not

connections: Connections

The network connections associated with this resource.

defaultPort?: Port
env: ResourceEnvironment

The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

node: Node

The tree node.

physicalName: string

Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

This value will resolve to one of the following:

  • a concrete value (e.g. "my-awesome-bucket")
  • undefined, when a name should be generated by CloudFormation
  • a concrete name generated automatically during synthesis, in cross-environment scenarios.
securityGroupId: string

The ID of the security group

securityGroupVpcId: string

The VPC ID this security group is part of.

stack: Stack

The stack in which this resource is defined.

Accessors

  • get uniqueId(): string
  • A unique identifier for this connection peer

    Returns string

Methods

  • Internal

    Called when this resource is referenced across environments (account/region) to order to request that a physical name will be generated for this resource during synthesis, so the resource can be referenced through its absolute name/arn.

    Returns void

  • Parameters

    • peer: IPeer
    • connection: Port
    • Optionaldescription: string
    • OptionalremoteRule: boolean

    Returns void

  • Parameters

    • peer: IPeer
    • connection: Port
    • Optionaldescription: string
    • OptionalremoteRule: boolean

    Returns void

  • Apply the given removal policy to this resource

    The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

    The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

    Parameters

    • policy: RemovalPolicy

    Returns void

  • Determine where to parent a new ingress/egress rule

    A SecurityGroup rule is parented under the group it's related to, UNLESS we're in a cross-stack scenario with another Security Group. In that case, we respect the 'remoteRule' flag and will parent under the other security group.

    This is necessary to avoid cyclic dependencies between stacks, since both ingress and egress rules will reference both security groups, and a naive parenting will lead to the following situation:

    ╔════════════════════╗ ╔════════════════════╗ ║ ┌───────────┐ ║ ║ ┌───────────┐ ║ ║ │ GroupA │◀────╬─┐ ┌───╬───▶│ GroupB │ ║ ║ └───────────┘ ║ │ │ ║ └───────────┘ ║ ║ ▲ ║ │ │ ║ ▲ ║ ║ │ ║ │ │ ║ │ ║ ║ │ ║ │ │ ║ │ ║ ║ ┌───────────┐ ║ └───┼───╬────┌───────────┐ ║ ║ │ EgressA │─────╬─────┘ ║ │ IngressB │ ║ ║ └───────────┘ ║ ║ └───────────┘ ║ ║ ║ ║ ║ ╚════════════════════╝ ╚════════════════════╝

    By having the ability to switch the parent, we avoid the cyclic reference by keeping all rules in a single stack.

    If this happens, we also have to change the construct ID, because otherwise we might have two objects with the same ID if we have multiple reversed security group relationships.

    ╔═══════════════════════════════════╗ ║┌───────────┐ ║ ║│ GroupB │ ║ ║└───────────┘ ║ ║ ▲ ║ ║ │ ┌───────────┐ ║ ║ ├────"from A"──│ IngressB │ ║ ║ │ └───────────┘ ║ ║ │ ┌───────────┐ ║ ║ ├─────"to B"───│ EgressA │ ║ ║ │ └───────────┘ ║ ║ │ ┌───────────┐ ║ ║ └─────"to B"───│ EgressC │ ║ <-- oops ║ └───────────┘ ║ ╚═══════════════════════════════════╝

    Parameters

    • peer: IPeer
    • connection: Port
    • fromTo: "from" | "to"
    • OptionalremoteRule: boolean

    Returns RuleScope

  • Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. bucket.bucketArn).

    Normally, this token will resolve to arnAttr, but if the resource is referenced across environments, arnComponents will be used to synthesize a concrete ARN with the resource's physical name. Make sure to reference this.physicalName in arnComponents.

    Parameters

    • arnAttr: string

      The CFN attribute which resolves to the ARN of the resource. Commonly it will be called "Arn" (e.g. resource.attrArn), but sometimes it's the CFN resource's ref.

    • arnComponents: ArnComponents

      The format of the ARN of this resource. You must reference this.physicalName somewhere within the ARN in order for cross-environment references to work.

    Returns string

  • Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. bucket.bucketName).

    Normally, this token will resolve to nameAttr, but if the resource is referenced across environments, it will be resolved to this.physicalName, which will be a concrete name.

    Parameters

    • nameAttr: string

      The CFN attribute which resolves to the resource's name. Commonly this is the resource's ref.

    Returns string

  • Produce the egress rule JSON for the given connection

    Returns any

  • Produce the ingress rule JSON for the given connection

    Returns any

  • Returns a string representation of this construct.

    Returns string

  • Look up a security group by id.

    Parameters

    • scope: Construct
    • id: string
    • securityGroupId: string

    Returns ISecurityGroup

  • Look up a security group by name.

    Parameters

    • scope: Construct
    • id: string
    • securityGroupName: string
    • vpc: IVpc

    Returns ISecurityGroup

  • Import an existing security group into this app.

    This method will assume that the Security Group has a rule in it which allows all outbound traffic, and so will not add egress rules to the imported Security Group (only ingress rules).

    If your existing Security Group needs to have egress rules added, pass the allowAllOutbound: false option on import.

    Parameters

    • scope: Construct
    • id: string
    • securityGroupId: string
    • Optionaloptions: SecurityGroupImportOptions

    Returns ISecurityGroup

  • GuWazuhAccess is implemented as a singleton meaning only one instance will be created for the entire stack. If there are multiple apps in the stack, they will re-use this resource.

    Usage:

    GuWazuhAccess.getInstance(this, vpc);
    

    Parameters

    • stack: GuStack

      the stack to add this security group to

    • vpc: IVpc

      the vpc to add this security group to

    Returns GuWazuhAccess

  • Checks if x is a construct.

    Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

    Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

    Parameters

    • x: any

      Any object

    Returns x is Construct

    true if x is an object created from a class which extends Construct.

  • Returns true if the construct was created by CDK, and false otherwise

    Parameters

    • construct: IConstruct

    Returns boolean

  • Check whether the given construct is a Resource

    Parameters

    • construct: IConstruct

    Returns construct is Resource

  • Return whether the indicated object is a security group

    Parameters

    • x: any

    Returns x is SecurityGroupBase