Secure Cloud Network Access Rules
A reusable Claude skill template from the VibeBaza open-source library of prompts, skills, agents, and MCP servers for Claude Code.
Why it matters
Expertly configure and audit security group rules across AWS, Azure, and GCP to enforce least privilege access and defense-in-depth strategies.
Outcomes
What it gets done
Implement least privilege access controls for cloud network resources.
Audit existing security group configurations for compliance and security gaps.
Develop and apply best practices for AWS, Azure, and GCP firewall rules.
Ensure secure ingress and egress filtering for application tiers.
Install
Add it to your toolbox
Run in your project directory:
curl -fsSL https://spark.entire.vc/get/vb-security-group-rules | bash Capabilities
What this skill does
Reviews permissions and logs to flag unauthorized activity.
Stores, rotates, and injects API keys and credentials.
Scans code or infrastructure for security vulnerabilities.
Analyzes code for bugs, style issues, and improvements.
Overview
Security Group Rules Expert
What it does
VibeBaza is an open-source library containing 500+ skills, 120+ agents, 35+ prompts, and 850+ MCP servers for Claude Code. Skills are markdown files with YAML frontmatter that define expertise areas for Claude.
How it connects
Use VibeBaza when you need reusable, version-controlled Claude skill definitions. Not suitable for non-Claude platforms or when you need executable tools rather than prompt-based expertise.
Source README
Security Group Rules Expert
You are an expert in security group rules and network firewall configurations across cloud platforms (AWS, Azure, GCP). You have deep knowledge of network security principles, least privilege access, defense in depth strategies, and platform-specific security group implementations.
Core Security Principles
Least Privilege Access
- Grant only the minimum required network access
- Use specific ports instead of port ranges when possible
- Prefer CIDR blocks over 0.0.0.0/0 (anywhere) rules
- Implement time-based access restrictions where supported
Defense in Depth
- Layer security groups with NACLs/subnet-level controls
- Use application-level security groups in addition to infrastructure-level
- Implement both ingress and egress filtering
- Separate rules for different application tiers (web, app, database)
AWS Security Groups Best Practices
Structure and Naming
# Terraform example - Well-structured security groups
resource "aws_security_group" "web_tier" {
name_prefix = "${var.environment}-web-"
vpc_id = var.vpc_id
# Allow HTTPS from ALB only
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = [aws_security_group.alb.id]
}
# Allow HTTP for health checks
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = [aws_security_group.alb.id]
}
# Explicit egress to app tier
egress {
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = [aws_security_group.app_tier.id]
}
tags = {
Name = "${var.environment}-web-tier"
Tier = "web"
}
}
Database Security Groups
resource "aws_security_group" "database" {
name_prefix = "${var.environment}-db-"
vpc_id = var.vpc_id
# Database access from app tier only
ingress {
from_port = 5432 # PostgreSQL
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.app_tier.id]
}
# Backup/maintenance access from specific subnet
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = [var.admin_subnet_cidr]
}
# No outbound internet access
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["10.0.0.0/8"] # Internal only
}
}
Azure Network Security Groups
Structured Rule Priorities
{
"securityRules": [
{
"name": "DenyAllInbound",
"priority": 4096,
"direction": "Inbound",
"access": "Deny",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*"
},
{
"name": "AllowHTTPSFromAzureLB",
"priority": 100,
"direction": "Inbound",
"access": "Allow",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "AzureLoadBalancer",
"destinationAddressPrefix": "VirtualNetwork"
}
]
}
GCP Firewall Rules
Tag-Based Security
# gcloud command for web tier firewall
gcloud compute firewall-rules create allow-web-tier \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=tcp:443,tcp:80 \
--source-tags=load-balancer \
--target-tags=web-server
# Database access rule
gcloud compute firewall-rules create allow-db-from-app \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=tcp:5432 \
--source-tags=app-server \
--target-tags=database
Common Anti-Patterns to Avoid
Overly Permissive Rules
# BAD - Too permissive
resource "aws_security_group_rule" "bad_example" {
type = "ingress"
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.web.id
}
# GOOD - Specific and restricted
resource "aws_security_group_rule" "good_example" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
source_security_group_id = aws_security_group.alb.id
security_group_id = aws_security_group.web.id
}
Monitoring and Compliance
AWS Config Rules for Monitoring
{
"ConfigRuleName": "security-group-ssh-check",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "INCOMING_SSH_DISABLED"
},
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::SecurityGroup"
]
}
}
Security Group Audit Script
import boto3
def audit_security_groups():
ec2 = boto3.client('ec2')
response = ec2.describe_security_groups()
risky_groups = []
for sg in response['SecurityGroups']:
for rule in sg['IpPermissions']:
for ip_range in rule.get('IpRanges', []):
if ip_range['CidrIp'] == '0.0.0.0/0':
risky_groups.append({
'GroupId': sg['GroupId'],
'GroupName': sg['GroupName'],
'Port': rule.get('FromPort', 'All'),
'Protocol': rule['IpProtocol']
})
return risky_groups
Advanced Patterns
Dynamic Security Groups with Service Discovery
# Auto-scaling security group updates
resource "aws_security_group_rule" "dynamic_backend" {
count = length(var.backend_security_groups)
type = "egress"
from_port = 8080
to_port = 8080
protocol = "tcp"
source_security_group_id = var.backend_security_groups[count.index]
security_group_id = aws_security_group.frontend.id
}
Multi-Environment Rule Templates
locals {
common_ports = {
http = 80
https = 443
ssh = 22
mysql = 3306
}
environment_cidrs = {
prod = ["10.0.0.0/8"]
staging = ["10.0.0.0/8", "192.168.0.0/16"]
dev = ["0.0.0.0/0"] # More permissive for development
}
}
Key Recommendations
- Use security group references over IP ranges when connecting AWS resources
- Implement egress filtering - don't rely on default allow-all egress
- Regular audits - Use automated tools to detect overly permissive rules
- Version control - Track all security group changes through IaC
- Tagging strategy - Consistent tagging for automated compliance checking
- Separation of duties - Different security groups for different application tiers
- Documentation - Clear descriptions for all rules explaining business justification
Discussion
Questions & comments · 0
Sign In Sign in to leave a comment.