Banyan AWS Access Tier 2 Module

This module creates an auto-scaling instance group and Network Load Balancer in Amazon Web Services for a Banyan Access Tier. A network load balancer forwards traffic to the instance group which, when added to the proper tags and banyan zero trust policies, allows for connections to internal services or to the network via service tunnel.

This module will create an access tier definition in the Banyan API, and an access_tier scoped API key. It will populate the launch configuration of all instances in the auto-scaling group with a short script to download the latest version of the Banyan NetAgent (or a pinned version if set), install it as a service, and launch the netagent with the API key and access tier configuration name for your Banyan organization.

Why Access Tier 2?

In order to ease the installation and configuration of the access tier, the new netagent only needs an access tier scoped API key, Banyan API URL, and the name of an access tier configuration in order to successfully connect. In this new module the access tier is defined in the Banyan API with the banyan_accesstier resource from the banyan terraform provider. The API key is created specifically for the access tier and added to the launch configuration

Usage

terraform {
  required_providers {
    banyan = {
      source  = "banyansecurity/banyan"
      version = "1.0.0"
    }
  }
}

provider "banyan" {
  api_key = "ADMIN-SCOPE-API-KEY"
}

provider "aws" {
  region = "us-west-2"
}

module "aws_accesstier" {
  source                 = "banyansecurity/banyan-accesstier2/aws"
  name                   = "example"
  banyan_host            = var.banyan_host
  private_subnet_ids     = ["subnet-0bff66824ea1ede35", "subnet-0e4680564d8fd1f69"]
  public_subnet_ids      = ["subnet-0bd9c5568baa33137", "subnet-0a2f69d9f6cdc0b1a"]
  vpc_id                 = "vpc-0c5252fae45fe5011"
  member_security_groups = [aws_security_group.allow_at.id]
}

Example Stack with Service Tunnel and Wildcard DNS Record

This example will configure the Banyan terraform provider and the AWS provider. It will then create an access tier with a wildcard DNS record pointing to the address of the access tier. The access tier is configured with the tunnel CIDR of 10.10.0.0/16. This corresponds to CIDR of the private network(s) (the entire VPC or individual subnets in AWS). A service tunnel is configured to use this access tier, with a policy which allows any user with a High trust level access to the service tunnel.

This policy could be narrowed down further using the access.l4_access attribute of the banyan_policy_tunnel resource.

This is an effective replacement of a VPN tunnel, which leverages the device trust, continuous authorization and SAML capabilities of Banyan.

terraform {
  required_providers {
    banyan = {
      source  = "banyansecurity/banyan"
      version = "1.0.0"
    }
  }
}

provider "banyan" {
  api_key = "ADMIN-SCOPE-API-KEY"
}

provider "aws" {
  region = "us-west-2"
}

module "aws_accesstier" {
  source                 = "banyansecurity/banyan-accesstier2/aws"
  name                   = "example"
  private_subnet_ids     = ["subnet-0bff66824ea1ede35", "subnet-0e4680564d8fd1f69"]
  public_subnet_ids      = ["subnet-0bd9c5568baa33137", "subnet-0a2f69d9f6cdc0b1a"]
  vpc_id                 = "vpc-0c5252fae45fe5011"
  member_security_groups = [aws_security_group.allow_at.id]
  tunnel_cidrs           = ["10.10.0.0/16"]
}

resource "banyan_service_tunnel" "example" {
  name        = "example-anyone-high"
  description = "tunnel allowing anyone with a high trust level"
  access_tier = banyan_accesstier.example.name
  policy      = banyan_policy_infra.anyone-high.id
}

resource "banyan_policy_infra" "anyone-high" {
  name        = "allow-anyone-high-trust"
  description = "${module.aws_accesstier.name} allow"
  access {
    roles       = ["ANY"]
    trust_level = "High"
  }
}

resource "aws_route53_record" "aws_accesstier" {
  zone_id = local.route53_zone_id
  name    = "*.${module.aws_accesstier.name}.mycompany.com"
  type    = "CNAME"
  ttl     = 300
  records = [module.aws_accesstier.address]
}

Upgrading Netagent

Set netagent_version to the desired version number. This will ensure all instances are pinned to the same version number. If netagent_version is not specified, each instance will automatically install the latest version.

Notes

  • The default value for management_cidr leaves SSH closed to instances in the access tier.

  • The current recommended setup for to use a banyan SSH service to SSH to a host inside the private network, which in turn has SSH access to the instances in the auto-scaling group. This way no SSH service is exposed to the internet.

Requirements

Name Version
banyan >=1.0.0

Providers

Name Version
aws n/a
banyan >=1.0.0

Modules

No modules.

Resources

Name Type
aws_alb.nlb resource
aws_autoscaling_group.asg resource
aws_autoscaling_policy.cpu_policy resource
aws_launch_configuration.conf resource
aws_lb_listener.listener443 resource
aws_lb_listener.listener51820 resource
aws_lb_listener.listener80 resource
aws_lb_listener.listener8443 resource
aws_lb_target_group.target443 resource
aws_lb_target_group.target51820 resource
aws_lb_target_group.target80 resource
aws_lb_target_group.target8443 resource
aws_security_group.sg resource
banyan_accesstier.accesstier resource
banyan_api_key.accesstier resource
aws_ami.ubuntu data source
aws_vpc.selected data source

Inputs

Name Description Type Default Required
name Name to use when registering this Access Tier with the Banyan command center string n/a yes
private_subnet_ids IDs of the subnets where the Access Tier should create instances list(string) n/a yes
public_subnet_ids IDs of the subnets where the load balancer should create endpoints list(string) n/a yes
vpc_id ID of the VPC in which to create the Access Tier string n/a yes
autoscaling_group_tags Additional tags to the autoscaling_group map(any) null no
banyan_host URL to the Banyan API server string "https://net.banyanops.com/" no
cluster Name of an existing Shield cluster to register this Access Tier with. This value is set automatically if omitted from the configuration string null no
command_center_cidrs CIDR blocks to allow Command Center connections to list(string)
[
"0.0.0.0/0"
]
no
console_log_level Controls verbosity of logs to console. Must be one of "ERR", "WARN", "INFO", "DEBUG" string null no
cross_zone_enabled Allow load balancer to distribute traffic to other zones bool true no
custom_user_data Custom commands to append to the launch configuration initialization script list(string) [] no
datadog_api_key API key for DataDog string null no
disable_snat Disable Source Network Address Translation (SNAT) bool false no
enable_hsts If enabled, Banyan will send the HTTP Strict-Transport-Security response header bool null no
event_key_rate_limiting Enable rate limiting of Access Event generated based on a derived “key” value. Each key has a separate rate limiter, and events with the same key value are subjected to the rate limiter for that key bool null no
events_rate_limiting Enable rate limiting of Access Event generation based on a credit-based rate control mechanism bool null no
file_log Whether to log to file or not bool null no
file_log_level Controls verbosity of logs to file. Must be one of "ERR", "WARN", "INFO", "DEBUG" string null no
forward_trust_cookie Forward the Banyan trust cookie to upstream servers. This may be enabled if upstream servers wish to make use of information in the Banyan trust cookie bool null no
healthcheck_cidrs CIDR blocks to allow health check connections from (recommended to use the VPC CIDR range) list(string)
[
"0.0.0.0/0"
]
no
http_endpoint_imds_v2 value for http_endpoint to enable imds v2 for ec2 instance string "enabled" no
http_hop_limit_imds_v2 value for http_put_response_hop_limit to enable imds v2 for ec2 instance number 1 no
http_tokens_imds_v2 value for http_tokens to enable imds v2 for ec2 instance string "required" no
iam_instance_profile The name attribute of the IAM instance profile to associate with launched instances string null no
instance_type EC2 instance type to use when creating Access Tier instances string "t3.medium" no
lb_tags Additional tags to add to the load balancer map(any) null no
log_num For file logs: Number of files to use for log rotation number null no
log_size For file logs: Size of each file for log rotation number null no
managed_internal_cidrs CIDR blocks to allow managed internal services connections to list(string)
[
"0.0.0.0/0"
]
no
management_cidrs CIDR blocks to allow SSH connections from. Default is the VPC CIDR range list(string) [] no
max_instance_lifetime The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds number null no
member_security_groups Additional security groups which the access tier shou list(string) [] no
min_instances Minimum number of Access Tier instances to keep alive number 2 no
netagent_version Override to use a specific version of netagent (e.g. 1.49.1). Omit for the latest version available string null no
redirect_http_to_https If true, requests to the Access Tier on port 80 will be redirected to port 443 bool true no
security_group_tags Additional tags to the security_group map(any) null no
shield_cidrs CIDR blocks to allow Shield (Cluster Coordinator) connections to list(string)
[
"0.0.0.0/0"
]
no
shield_port TCP port number to allow Shield (Cluster Coordinator) connections to number 0 no
src_nat_cidr_range CIDR range which source Network Address Translation (SNAT) will be disabled for string null no
ssh_key_name Name of an SSH key stored in AWS to allow management access string "" no
statsd_address Address to send statsd messages: “hostname:port” for UDP, “unix:///path/to/socket” for UDS string null no
sticky_sessions Enable session stickiness for apps that require it bool false no
tags Add tags to each resource map(any) null no
target_group_tags Additional tags to each target_group map(any) null no
trustprovider_cidrs CIDR blocks to allow TrustProvider connections to list(string)
[
"0.0.0.0/0"
]
no
tunnel_cidrs Backend CIDR Ranges that correspond to the IP addresses in your private network(s) list(string) null no
tunnel_port UDP port for end users to this access tier to utilize when using service tunnel number null no
tunnel_private_domains Any internal domains that can only be resolved on your internal network’s private DNS list(string) null no

Outputs

Name Description
address DNS name of the load balancer (example: banyan-nlb-b335ff082d3b27ff.elb.us-east-1.amazonaws.com)
api_key_id ID of the API key associated with the Access Tier
name Name to use when registering this Access Tier with the console
nlb_zone_id Zone ID of the load balancer (example: Z26RNL4JYFTOTI)
security_group_id The ID of the security group, which can be added as an inbound rule on other backend groups (example: sg-1234abcd)