amazon-web-servicesaws-secrets-manageraws-security-groupvpc-endpoint

Use secret manager with security group AWS


I'm deploying an API with AI model on AWS. To do so I created an ECS Fargate with a security group. My API needs to store secrets so I'm also using the Secrets Manager.

The problem is that I want to disallow all outbound traffic (outside my VPC) for security purposes but when I add an Outbound rule to my Security Group, my ECS can't access the Secrets Manager anymore.

I tried to add the rule :

–      sgr-id         IPv4       All traffic       All      All     <vpc cidr>

because I thought my ECS was using the VPC Eendpoint I created to contact the Secrets Manager but I receive this error:

ResourceInitializationError: unable to pull secrets or registry auth: unable to retrieve secret from asm: There is a connection issue between the task and AWS Secrets Manager. Check your task network configuration. failed to fetch secret arn:aws:secretsmanager:eu-west-1:x:secret:y/z from secrets manager: RequestCanceled: request context canceled caused by: context deadline exceeded

Because of this error I feel like my ECS uses my internet access instead of my VPC Endpoint. When I change the destination rule with 0.0.0.0/0 it works perfectly fine.

My VPC Endpont and my ECS are in the same VPC. My VPC Endpoint has an interface in all the subnets of my VPC. Am I missing something?


Solution

  • Without knowing how you setup the VPC interface to Secrets manager and your networking setup, its impossible to tell.

    But why are you caring about outbound access? If you don't want to allow internet access, then you're dealing with ingress rules, not outbound rules. If you're also that concerned, why don't you simply deploy your workload on a private subnet?

    Leave 0.0.0.0/0 as an available outbound rule. If you're removing all outbound rules, then you're literally not allowing any traffic leave from your workload.

    AWS mentions this exactly: If your security group has no outbound rules, no outbound traffic is allowed.

    Also 0.0.0.0/0 does not indicate you're using internet access. It's simply matching any request for any cidr range. That could be 10.0.0.0/16, 10.1.0.0/32, etc.