CAPA Security Hardening

[T-Kukawka]

Based on customer security scanning, we will have to implement following features in CAPA:

• for {MC_NAME}-vpc the Network without Traffic Logging has to be followed - roadmap ticket: AWS VPC Flow Logs #502

• security group belonging to {MC_NAME}-vpc - Access List Default Allows Ingress/Egress (AWS)

• for S3 Bucket eu-central-1-capa-{MC_NAME} - Storage Container Not Enforcing Transit Encryption

We have this covered in Vintage implementation on AWS side, more information on the implementation details can be found in internal slack chat: https://gigantic.slack.com/archives/C02HLSDH3DZ/p1701179789159519.

Useful links:

• https://github.com/giantswarm/irsa-operator/blob/master/pkg/aws/services/s3/bucket.go#L85
• https://github.com/giantswarm/irsa-operator/blob/master/pkg/aws/services/s3/bucket.go#L85
• https://github.com/giantswarm/irsa-operator/blob/master/pkg/aws/services/s3/bucket.go#L154-L165

[fiunchinho]

@T-Kukawka Regarding the security group, can we know what security group is it? the default one? That only allows traffic coming from itself

[fiunchinho]

Created a feature request upstream and asked in their slack kubernetes-sigs/cluster-api-provider-aws#4675

[fiunchinho]

Created PR upstream to enable transit encryption on the S3 buckets kubernetes-sigs/cluster-api-provider-aws#4676

[fiunchinho]

Working on this PR upstream to secure the VPC default security group kubernetes-sigs/cluster-api-provider-aws#4707

[fiunchinho]

I tested my PR on golem to create both CAPA EC2 and CAPA EKS clusters. They both worked fine. The PR has been labeled with lgtm but still waiting on approval from maintainer. Once those changes are deployed to our MCs, we could review and merge these two

• Remove ingress and egress rules from VPC default security group cluster-aws#466
• Remove ingress and egress rules from VPC default security group cluster-eks#62