Scenarios Reference

Table of Contents

• Overview

• Available Scenarios

• 3-Tier Scenarios

• 2-Tier Scenarios

• Scenario Architecture

• Choosing a Scenario

• Customizing with Overrides

• Creating Custom Scenarios

Overview

Scenarios are pre-built security group templates that define the tiers, rules, and cross-tier relationships for common application architectures. Each scenario is a YAML file in schemas/scenarios/.

Select a scenario in your config:

security_groups:
  scenario: 3-tier-web

List available scenarios:

docker run --rm \
  -v ~/.aws:/home/sguser/.aws:ro \
  -v $(pwd)/sg/configs:/app/configs:ro \
  -v $(pwd)/sg/reports:/app/reports \
  sg-provisioner:latest \
  -con my-config.yaml \
  -act list-scenarios

Available Scenarios

Scenario	Tiers	DB Port	Use Case
3-tier-web	web, app, db	5432	Generic 3-tier web application (PostgreSQL default)
3-tier-rds-postgresql	web, app, db	5432	RDS PostgreSQL
3-tier-rds-mysql	web, app, db	3306	RDS MySQL/Aurora MySQL
3-tier-redshift	web, app, db	5439	Analytics with Redshift
3-tier-oracle	web, app, db	1521	Oracle database
3-tier-sqlserver	web, app, db	1433	SQL Server
3-tier-documentdb	web, app, db	27017	DocumentDB (MongoDB-compatible)
2-tier-web	web, app	—	Web + app, no database tier
2-tier-rds-postgresql	web, db	5432	Direct web-to-database

3-Tier Scenarios

All 3-tier scenarios share the same web and app tier structure. Only the database port and description differ.

Architecture

Internet → [Web Tier] → [App Tier] → [DB Tier]
              443/80        8080         DB port

Web Tier (all 3-tier scenarios)

Direction	Port	Source/Destination	Description
Ingress	443	0.0.0.0/0	HTTPS from internet
Ingress	80	0.0.0.0/0	HTTP (redirect to HTTPS)
Egress	443	0.0.0.0/0	Outbound HTTPS

App Tier (all 3-tier scenarios)

Direction	Port	Source/Destination	Description
Ingress	8080	Web SG	Application traffic from web tier
Egress	DB port	DB SG	Database connections
Egress	443	0.0.0.0/0	Outbound HTTPS (AWS APIs)

DB Tier (varies by scenario)

Scenario	Port	Protocol
3-tier-web	5432	PostgreSQL
3-tier-rds-postgresql	5432	PostgreSQL
3-tier-rds-mysql	3306	MySQL
3-tier-redshift	5439	Redshift
3-tier-oracle	1521	Oracle TNS
3-tier-sqlserver	1433	SQL Server TDS
3-tier-documentdb	27017	MongoDB wire protocol

All DB tiers:

• Ingress: DB port from App SG only

• Egress: none (fully isolated)

2-Tier Scenarios

2-tier-web

Web + application tier with no database. Use when the database is external (DynamoDB, managed service, etc.).

Internet → [Web Tier] → [App Tier]
              443/80        8080

Tier	Direction	Port	Source/Destination
Web	Ingress	443	0.0.0.0/0
Web	Ingress	80	0.0.0.0/0
Web	Egress	443	0.0.0.0/0
App	Ingress	8080	Web SG
App	Egress	443	0.0.0.0/0

2-tier-rds-postgresql

Web tier connects directly to database — no separate app tier. For simple applications.

Internet → [Web Tier] → [DB Tier]
              443/80        5432

Tier	Direction	Port	Source/Destination
Web	Ingress	443	0.0.0.0/0
Web	Ingress	80	0.0.0.0/0
Web	Egress	5432	DB SG
Web	Egress	443	0.0.0.0/0
DB	Ingress	5432	Web SG
DB	Egress	—	None

Scenario Architecture

How Scenarios Work

1. You select a scenario in your config (scenario: 3-tier-web)

2. The loader reads the YAML and builds Scenario/Tier/SecurityGroup objects

3. Overrides are applied (port changes, additional rules)

4. The validator checks for security issues

5. The CFN generator produces a CloudFormation template

Cross-Tier References

Rules that reference another tier (e.g., “allow from web tier”) use CloudFormation !Ref to the other security group. This creates a dependency between SGs.

To avoid circular dependencies, cross-tier rules are generated as standalone AWS::EC2::SecurityGroupIngress / AWS::EC2::SecurityGroupEgress resources rather than inline rules.

Parameter Store Integration

After deployment, each tier’s SG ID is stored in Parameter Store:

/sg/{sg-name}/{tier}/SecurityGroupId

Example:

/sg/globalbank-prod-c001-us-west-2-sg/web/SecurityGroupId = sg-0abc123
/sg/globalbank-prod-c001-us-west-2-sg/app/SecurityGroupId = sg-0def456
/sg/globalbank-prod-c001-us-west-2-sg/db/SecurityGroupId  = sg-0ghi789

Choosing a Scenario

If you need…	Use
Standard web app with PostgreSQL	3-tier-web or 3-tier-rds-postgresql
MySQL/Aurora MySQL	3-tier-rds-mysql
Data warehouse / analytics	3-tier-redshift
Legacy Oracle workload	3-tier-oracle
.NET with SQL Server	3-tier-sqlserver
MongoDB-compatible	3-tier-documentdb
No database (DynamoDB, external)	2-tier-web
Simple app, direct DB access	2-tier-rds-postgresql

Customizing with Overrides

Overrides modify a base scenario without creating a new YAML file.

Change the App Port

Default app port is 8080. To use 3000 (Node.js) or 8443 (HTTPS):

overrides:
  app:
    port_overrides:
      - protocol: tcp
        old_port: 8080
        new_port: 3000

Add Monitoring Access

Allow Prometheus scraping from the web tier:

overrides:
  app:
    additional_ingress:
      - protocol: tcp
        port: 9090
        source_tier: web
        description: Prometheus metrics

Add Read Replica Access

Allow a second DB connection for read replicas:

overrides:
  db:
    additional_ingress:
      - protocol: tcp
        port: 5432
        source_tier: app
        description: Read replica connection

Add Cache Tier Egress

Allow app to connect to ElastiCache:

overrides:
  app:
    additional_egress:
      - protocol: tcp
        port: 6379
        destination: 10.0.30.0/24
        description: Redis cache in private subnet

Creating Custom Scenarios

Add a new YAML file to schemas/scenarios/:

# schemas/scenarios/my-custom-scenario.yaml
scenario:
  name: my-custom-scenario
  description: "Description of your architecture"
  version: "1.0.0"
  
  tiers:
    - name: frontend
      description: "Frontend tier"
      security_group:
        name_suffix: frontend-sg
        description: "Frontend security group"
        ingress:
          - protocol: tcp
            port: 443
            source: "0.0.0.0/0"
            description: "HTTPS from internet"
        egress:
          - protocol: tcp
            port: 443
            destination: "0.0.0.0/0"
            description: "Outbound HTTPS"

    - name: backend
      description: "Backend tier"
      security_group:
        name_suffix: backend-sg
        description: "Backend security group"
        ingress:
          - protocol: tcp
            port: 8080
            source_tier: frontend
            description: "Traffic from frontend"
        egress: []

Rules

• File name becomes the scenario name (without .yaml)

• Each tier needs: name, description, security_group

• Each security_group needs: name_suffix, description, ingress, egress

• Use source/destination for CIDR-based rules

• Use source_tier/destination_tier for cross-tier references

• source and source_tier are mutually exclusive

• destination and destination_tier are mutually exclusive

• Use port for a single port or port_range for a range (e.g., 1024-65535) — mutually exclusive

Example using port_range:

egress:
  - protocol: tcp
    port_range: 1024-65535
    destination: "0.0.0.0/0"
    description: "Ephemeral ports for outbound connections"