HTTP Port Open To Internet
- Query id: ddfc4eaa-af23-409f-b96c-bf5c45dc4daa
- Query name: HTTP Port Open To Internet
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 668
- Risk score: 4.9
- URL: Github
Description¶
The HTTP port is open to the internet in a Security Group
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
# IPv4 Rules
Positive1IPv4_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Positive1IPv4_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 10
ToPort: 10
CidrIp: 0.0.0.0/0
Positive1ArrayTestIPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 0
ToPort: 1000
CidrIp: 192.0.0.0/16
- IpProtocol: "6"
FromPort: 0
ToPort: 100
CidrIp: 0.0.0.0/0
# IPv6 Rules
Positive1IPv6_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 80
ToPort: 80
CidrIpv6: "::/0"
Positive1IPv6_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 10
ToPort: 10
CidrIpv6: "::/0"
Positive1ArrayTestIPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 0
ToPort: 1000
CidrIpv6: "2400:cb00::/32" #should not flag - used to test array index search
- IpProtocol: "6"
FromPort: 70
ToPort: 90
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
Positive test num. 2 - yaml file
Resources:
DualStackSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for IPv4 and IPv6 ingress rules"
VpcId: !Ref MyVPC
# IPv4 Rules
IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "-1"
FromPort: 10
ToPort: 10
CidrIp: "0.0.0.0/0"
IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 70
ToPort: 90
CidrIp: "0.0.0.0/0"
# IPv6 Rules
IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 80
ToPort: 80
CidrIpv6: "::/0"
IPv6Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 70
ToPort: 90
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
IPv6Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "-1"
FromPort: 10
ToPort: 10
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
Positive test num. 3 - json file
{
"Resources": {
"Positive1IPv4_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Positive1IPv4_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 10,
"ToPort": 10,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Positive1ArrayTestIPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 1000,
"CidrIp": "192.0.0.0/16"
},
{
"IpProtocol": "6",
"FromPort": 0,
"ToPort": 100,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Positive1IPv6_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "::/0"
}
]
}
},
"Positive1IPv6_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 10,
"ToPort": 10,
"CidrIpv6": "::/0"
}
]
}
},
"Positive1ArrayTestIPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 1000,
"CidrIpv6": "2400:cb00::/32"
},
{
"IpProtocol": "6",
"FromPort": 70,
"ToPort": 90,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
]
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"DualStackSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for IPv4 and IPv6 ingress rules",
"VpcId": {
"Ref": "MyVPC"
}
}
},
"IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "-1",
"FromPort": 10,
"ToPort": 10,
"CidrIp": "0.0.0.0/0"
}
},
"IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": 70,
"ToPort": 90,
"CidrIp": "0.0.0.0/0"
}
},
"IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "::/0"
}
},
"IPv6Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": 70,
"ToPort": 90,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
},
"IPv6Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "-1",
"FromPort": 10,
"ToPort": 10,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
# IPv4 Rules
Negative1IPv4_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "udp" # wrong protocol
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Negative1IPv4_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 100
ToPort: 200 # not catching port 80
CidrIp: 0.0.0.0/0
Negative1ArrayTestIPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 1000
CidrIp: 192.0.0.0/16 # CidrIP is not 0:0:0:0/0
- IpProtocol: "udp" # all fields "incorrect"
FromPort: 1000
ToPort: 2000
CidrIp: 192.120.0.0/16
# IPv6 Rules
Negative1IPv6_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "udp" # wrong protocol
FromPort: 80
ToPort: 80
CidrIpv6: "::/0"
Negative1IPv6_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 5000
ToPort: 5000 # not catching port 80
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
Negative1ArrayTestIPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 1000
CidrIpv6: "2400:cb00::/32" # CidrIpv6 is not ::/0
- IpProtocol: "udp" # all fields "incorrect"
FromPort: 1000
ToPort: 2000
CidrIpv6: "2400:cb00::/32"
Negative test num. 2 - yaml file
Resources:
Negative2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for negative test cases"
VpcId: !Ref MyVPC
# IPv4 Rules
Negative2IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp" # incorrect protocol
FromPort: 80
ToPort: 80
CidrIp: "0.0.0.0/0"
Negative2IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 100 # not catching port 80
ToPort: 200
CidrIp: "0.0.0.0/0"
Negative2IPv4Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "-1"
FromPort: 0
ToPort: 100
CidrIp: "8.8.0.0/16" # CidrIP is not 0:0:0:0/0
Negative2IPv4Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp" # all fields "incorrect"
FromPort: 5000
ToPort: 5000
CidrIp: "8.8.0.0/16"
# IPv6 Rules
Negative2IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp" # incorrect protocol
FromPort: 80
ToPort: 80
CidrIpv6: "::/0"
Negative2IPv6Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 5000 # not catching port 80
ToPort: 5000
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
Negative2IPv6Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "-1"
FromPort: 0
ToPort: 100
CidrIpv6: "2400:cb00::/32" # CidrIP is not 0:0:0:0/0
Negative2IPv6Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup # all fields "incorrect"
IpProtocol: "udp"
FromPort: 5000
ToPort: 5000
CidrIpv6: "2400:cb00::/32"
Negative test num. 3 - json file
{
"Resources": {
"Negative1IPv4_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Negative1IPv4_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 100,
"ToPort": 200,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Negative1ArrayTestIPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 1000,
"CidrIp": "192.0.0.0/16"
},
{
"IpProtocol": "udp",
"FromPort": 1000,
"ToPort": 2000,
"CidrIp": "192.120.0.0/16"
}
]
}
},
"Negative1IPv6_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "::/0"
}
]
}
},
"Negative1IPv6_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
]
}
},
"Negative1ArrayTestIPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 1000,
"CidrIpv6": "2400:cb00::/32"
},
{
"IpProtocol": "udp",
"FromPort": 1000,
"ToPort": 2000,
"CidrIpv6": "2400:cb00::/32"
}
]
}
}
}
}
Negative test num. 4 - json file
{
"Resources": {
"Negative2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for negative test cases",
"VpcId": {
"Ref": "MyVPC"
}
}
},
"Negative2IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative2SecurityGroup"
},
"IpProtocol": "udp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
},
"Negative2IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative2SecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": 100,
"ToPort": 200,
"CidrIp": "0.0.0.0/0"
}
},
"Negative2IPv4Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative2SecurityGroup"
},
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 100,
"CidrIp": "8.8.0.0/16"
}
},
"Negative2IPv4Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative2SecurityGroup"
},
"IpProtocol": "udp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "8.8.0.0/16"
}
},
"Negative2IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative2SecurityGroup"
},
"IpProtocol": "udp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "::/0"
}
},
"Negative2IPv6Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative2SecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
},
"Negative2IPv6Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative2SecurityGroup"
},
"IpProtocol": "-1",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "2400:cb00::/32"
}
},
"Negative2IPv6Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative2SecurityGroup"
},
"IpProtocol": "udp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "2400:cb00::/32"
}
}
}
}