Security Groups With Meta IP
- Query id: adcd0082-e90b-4b63-862b-21899f6e6a48
- Query name: Security Groups With Meta IP
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- Risk score: 7.7
- URL: Github
Description¶
Security Groups with exposed address should not open to all ports.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
## Protocol set to "-1" (all ports open regardless of range set)
Positive1_security_group_1:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Open security group
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 2000
ToPort: 2000
CidrIp: 0.0.0.0/0
- IpProtocol: "-1"
FromPort: 2000
ToPort: 2000
CidrIpv6: ::/0
# Standalone IPv4 ingress rule
Positive1_ingress_ipv4_1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1_security_group_1
IpProtocol: "-1"
FromPort: 3000
ToPort: 3000
CidrIp: 0.0.0.0/0
# Standalone IPv6 ingress rule
Positive1_ingress_ipv6_1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1_security_group_1
IpProtocol: "-1"
FromPort: 3000
ToPort: 3000
CidrIpv6: ::/0
## Any protocol with ports 0-65535 (all) open
Positive1_security_group_2:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Open security group
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
- IpProtocol: "udp"
FromPort: 0
ToPort: 65535
CidrIpv6: ::/0
# Standalone IPv4 ingress rule
Positive1_ingress_ipv4_2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1_security_group_2
IpProtocol: "udp"
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
# Standalone IPv6 ingress rule
Positive1_ingress_ipv6_2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1_security_group_2
IpProtocol: "tcp"
FromPort: 0
ToPort: 65535
CidrIpv6: ::/0
Positive test num. 2 - json file
{
"Resources": {
"Positive1_security_group_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Open security group",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 2000,
"ToPort": 2000,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "-1",
"FromPort": 2000,
"ToPort": 2000,
"CidrIpv6": "::/0"
}
]
}
},
"Positive1_ingress_ipv4_1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Positive1_security_group_1" },
"IpProtocol": "-1",
"FromPort": 3000,
"ToPort": 3000,
"CidrIp": "0.0.0.0/0"
}
},
"Positive1_ingress_ipv6_1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Positive1_security_group_1" },
"IpProtocol": "-1",
"FromPort": 3000,
"ToPort": 3000,
"CidrIpv6": "::/0"
}
},
"Positive1_security_group_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Open security group",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": 0,
"ToPort": 65535,
"CidrIpv6": "::/0"
}
]
}
},
"Positive1_ingress_ipv4_2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Positive1_security_group_2" },
"IpProtocol": "udp",
"FromPort": 0,
"ToPort": 65535,
"CidrIp": "0.0.0.0/0"
}
},
"Positive1_ingress_ipv6_2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Positive1_security_group_2" },
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"CidrIpv6": "::/0"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
# Ipv4 Samples
Negative1_security_group_ipv4:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Open security group
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 2000 # not opening all ports
ToPort: 2000
CidrIp: 0.0.0.0/0
- IpProtocol: "-1"
FromPort: 2000
ToPort: 2000
CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0
# Standalone IPv4 ingress rules
Negative1_ingress_ipv4_1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative1_security_group_ipv4
IpProtocol: "tcp"
FromPort: 3000 # not opening all ports
ToPort: 3000
CidrIp: 0.0.0.0/0
Negative1_ingress_ipv4_2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative1_security_group_ipv4
IpProtocol: "tcp"
FromPort: 0
ToPort: 65535
CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0
# Ipv6 Samples
Negative1_security_group_ipv6:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Open security group
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 2000 # not opening all ports
ToPort: 2000
CidrIpv6: ::/0
- IpProtocol: "-1"
FromPort: 2000
ToPort: 2000
CidrIpv6: 2001:0db8::/32 # cidr is not ::/0
# Standalone IPv6 ingress rules
Negative1_ingress_ipv6_1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative1_security_group_ipv6
IpProtocol: "tcp"
FromPort: 4000 # not opening all ports
ToPort: 4000
CidrIpv6: ::/0
Negative1_ingress_ipv6_2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative1_security_group_ipv6
IpProtocol: "udp"
FromPort: 0
ToPort: 65535
CidrIpv6: 2001:0db8::/32 # cidr is not ::/0
Negative test num. 2 - json file
{
"Resources": {
"Negative1_security_group_ipv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Open security group",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 2000,
"ToPort": 2000,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "-1",
"FromPort": 2000,
"ToPort": 2000,
"CidrIp": "192.162.0.0/16"
}
]
}
},
"Negative1_ingress_ipv4_1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative1_security_group_ipv4" },
"IpProtocol": "tcp",
"FromPort": 3000,
"ToPort": 3000,
"CidrIp": "0.0.0.0/0"
}
},
"Negative1_ingress_ipv4_2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative1_security_group_ipv4" },
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"CidrIp": "192.162.0.0/16"
}
},
"Negative1_security_group_ipv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Open security group",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 2000,
"ToPort": 2000,
"CidrIpv6": "::/0"
},
{
"IpProtocol": "-1",
"FromPort": 2000,
"ToPort": 2000,
"CidrIpv6": "2001:0db8::/32"
}
]
}
},
"Negative1_ingress_ipv6_1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative1_security_group_ipv6" },
"IpProtocol": "tcp",
"FromPort": 4000,
"ToPort": 4000,
"CidrIpv6": "::/0"
}
},
"Negative1_ingress_ipv6_2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative1_security_group_ipv6" },
"IpProtocol": "udp",
"FromPort": 0,
"ToPort": 65535,
"CidrIpv6": "2001:0db8::/32"
}
}
}
}