Fully Open Ingress
- Query id: e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5
- Query name: Fully Open Ingress
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- Risk score: 7.7
- URL: Github
Description¶
ECS Service's security group should not allow unrestricted access to all ports from all IPv4 or IPv6 addresses
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
Sample_Service:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref 'ECSCluster'
Sample_Cluster:
Type: AWS::ECS::Cluster
# EC2 Security Group with inline IPv4 and IPv6 rules
DBEC2SecurityGroupInline:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Inline IPv4 and IPv6 ingress"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
- IpProtocol: "udp"
FromPort: 0
ToPort: 65535
CidrIpv6: ::/0
# EC2 Security Group with standalone ingress rules
DBEC2SecurityGroupStandalone:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Standalone IPv4 and IPv6 ingress"
VpcId: !Ref VPC
DBEC2SecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone
IpProtocol: "-1"
CidrIp: 0.0.0.0/0
DBEC2SecurityGroupIngressIPv6:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone
IpProtocol: "tcp"
FromPort: 0
ToPort: 65535
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
# RDS Instance referencing all security groups
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBName: !Ref DBName
Engine: MySQL
VPCSecurityGroups:
- !Ref DBEC2SecurityGroupInline
- !Ref DBEC2SecurityGroupStandalone
Positive test num. 2 - json file
{
"Resources": {
"Sample_Service": {
"Type": "AWS::ECS::Service",
"Properties": {
"Cluster": {
"Ref": "ECSCluster"
}
}
},
"Sample_Cluster": {
"Type": "AWS::ECS::Cluster"
},
"DBEC2SecurityGroupInline": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Inline IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": 0,
"ToPort": 65535,
"CidrIpv6": "::/0"
}
]
}
},
"DBEC2SecurityGroupStandalone": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Standalone IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
}
}
},
"DBEC2SecurityGroupIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone"
},
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
},
"DBEC2SecurityGroupIngressIPv6": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone"
},
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
},
"DBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": true,
"DBName": {
"Ref": "DBName"
},
"Engine": "MySQL",
"VPCSecurityGroups": [
{
"Ref": "DBEC2SecurityGroupInline"
},
{
"Ref": "DBEC2SecurityGroupStandalone"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
Sample_Service:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref 'ECSCluster'
Sample_Cluster:
Type: AWS::ECS::Cluster
# EC2 Security Group with inline IPv4 and IPv6 rules
DBEC2SecurityGroupInline:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Inline IPv4 and IPv6 ingress"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 0
ToPort: 65534 #does not expose all ports
CidrIp: 0.0.0.0/0
- IpProtocol: "udp"
FromPort: 0
ToPort: 65535
CidrIpv6: 2607:f0d0:1002:51::4/56 #cidr not exposed
# EC2 Security Group with standalone ingress rules
DBEC2SecurityGroupStandalone:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Standalone IPv4 and IPv6 ingress"
VpcId: !Ref VPC
DBEC2SecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone
IpProtocol: "-1"
CidrIp: 192.162.0.0/16 #cidr not exposed
DBEC2SecurityGroupIngressIPv6:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone
IpProtocol: "tcp"
FromPort: 0
ToPort: 34000 #does not expose all ports
CidrIpv6: ::/0
# RDS Instance referencing all security groups
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBName: !Ref DBName
Engine: MySQL
VPCSecurityGroups:
- !Ref DBEC2SecurityGroupInline
- !Ref DBEC2SecurityGroupStandalone
Negative test num. 2 - json file
{
"Resources": {
"Sample_Service": {
"Type": "AWS::ECS::Service",
"Properties": {
"Cluster": {
"Ref": "ECSCluster"
}
}
},
"Sample_Cluster": {
"Type": "AWS::ECS::Cluster"
},
"DBEC2SecurityGroupInline": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Inline IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65534,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": 0,
"ToPort": 65535,
"CidrIpv6": "2607:f0d0:1002:51::4/56"
}
]
}
},
"DBEC2SecurityGroupStandalone": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Standalone IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
}
}
},
"DBEC2SecurityGroupIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone"
},
"IpProtocol": "-1",
"CidrIp": "192.162.0.0/16"
}
},
"DBEC2SecurityGroupIngressIPv6": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone"
},
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 34000,
"CidrIpv6": "::/0"
}
},
"DBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": true,
"DBName": {
"Ref": "DBName"
},
"Engine": "MySQL",
"VPCSecurityGroups": [
{
"Ref": "DBEC2SecurityGroupInline"
},
{
"Ref": "DBEC2SecurityGroupStandalone"
}
]
}
}
}
}