security: narrow internal ingress CIDR (JIRA-4521)

[dylanratcliffe]

Summary

• Narrow internal ingress CIDR used for service/monitoring access.

Context

• JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

• Terraform plan reviewed in CI.

Rollout / Risk

• If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🟢 Change Signals

Routine 🟢 ▁▂ Ingress resources showing regular updates with 1 event/day for the last 7 weeks and 2 events/day for the last day.

View signals ↗

---

🔥 Risks

Tip

✔ All risks disproven

We investigated 1 potential risk across 26 resources and verified each was safe. See the investigation details below.

---

🧠 Reasoning · ✖ 1 · ✔ 0

Expanded security group ingress on TCP/443 to external IP 203.0.113.140/32

Observations 9

Hypothesis

An AWS security group (sg-03cf38efd953aa056) is being modified to add an ingress rule allowing TCP port 443 from the single external IP 203.0.113.140/32. This change alters the network access policy for all resources using this security group, including instance i-084178432f016fcd2 and ENI eni-0fe5a958a733a13fe, and potentially any attached load balancer targets. Opening HTTPS (443) to this external host widens the attack surface and may allow unauthorized or unintended access paths to services listening on 443, enabling potential data exfiltration, exploitation of vulnerable endpoints, or lateral movement if the source IP is compromised or malicious.

Investigation

I examined the proposed diff and the current blast-radius state. The change adds a single ingress rule on tcp/443 from 203.0.113.140/32 with description "NewCo 40" to security group sg-03cf38efd953aa056. The current security group (customer-api-access) already allows many similar /32 sources in the 203.0.113.x range (NewCo 1–39) plus several other tightly scoped CIDRs on port 443, and its description explicitly states it is a customer IP whitelist updated frequently. This is therefore an incremental allowlist update, not a material policy expansion.

The only attached resource of concern is EC2 instance i-084178432f016fcd2, which does have a public EIP (13.134.236.98) and is attached to this SG; however, there is no evidence that the instance is actually listening on port 443. The load balancer in the blast radius is an internal NLB that listens on TCP/9090 and does not use security groups, so this SG change has no effect on the LB path. Given the numerous existing 443 allowlist entries already in place, adding one more /32 does not introduce a new failure mode or a meaningful change in attack surface beyond current policy. The hypothesis is speculative about potential exploitation but provides no concrete misconfiguration or incompatibility that would cause breakage when deployed.

✖ Hypothesis disproven

---

💥 Blast Radius

Items 26

Edges 67

[github-actions]

✅ Auto-Approved

---

🟢 Decision

Auto-approved: All safety checks passed

---

📊 Signals Summary

Routine 🟢 +2

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 26 · Edges 67

---

View full analysis in Overmind ↗