Security Group Ingress Has CIDR Not Recommended

Query id: a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd
Query name: Security Group Ingress Has CIDR Not Recommended
Platform: CloudFormation
Severity: Low
Category: Best Practices
URL: Github
Description¶

AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6
Documentation
Code samples¶

Code samples with security vulnerabilities¶

Postitive test num. 1 - yaml file
Postitive test num. 2 - json file
Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - IpProtocol: tcp Description: TCP FromPort: 80 ToPort: 80 class="w">        CidrIp: 122.24.0.0/32 SecurityGroupEgress: - IpProtocol: tcp Description: TCP FromPort: 80 ToPort: 80 CidrIp: 192.0.2.0/24 OutboundRule: Type: AWS::EC2::SecurityGroupEgress Properties: Description: TCP IpProtocol: tcp FromPort: 0 ToPort: 65535 CidrIp: 192.0.2.0/24 DestinationSecurityGroupId: Fn::GetAtt: - TargetSG - GroupId GroupId: Fn::GetAtt: - SourceSG - GroupId InboundRule: Type: AWS::EC2::SecurityGroupIngress Properties: Description: TCP IpProtocol: tcp FromPort: 0 ToPort: 65535 class="w">      CidrIpv6: ::/128 SourceSecurityGroupId: Fn::GetAtt: - SourceSG - GroupId GroupId: Fn::GetAtt: - TargetSG - GroupId { "Resources": { "OutboundRule": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "ToPort": 65535, "CidrIp": "192.0.2.0/24", "DestinationSecurityGroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] }, "Description": "TCP", "IpProtocol": "tcp", "FromPort": 0 } }, "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "SourceSecurityGroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] }, "Description": "TCP", "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, class="w">        "CidrIpv6": "::/128" } }, "InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "SecurityGroupEgress": [ { "ToPort": 80, "CidrIp": "192.0.2.0/24", "IpProtocol": "tcp", "Description": "TCP", "FromPort": 80 } ], "GroupDescription": "Allow http to client host", "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "Description": "TCP", "FromPort": 80, "ToPort": 80, class="w">            "CidrIp": "122.24.0.0/32" } ] } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileResources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow http to client host
      VpcId:
         Ref: myVPC
      SecurityGroupIngress:
      - IpProtocol: tcp
        Description: TCP
        FromPort: 80
        ToPort: 80
        CidrIp: 192.0.2.0/24
      SecurityGroupEgress:
      - IpProtocol: tcp
        Description: TCP
        FromPort: 80
        ToPort: 80
        CidrIp: 192.0.2.0/24
  OutboundRule:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      Description: TCP
      IpProtocol: tcp
      FromPort: 0
      ToPort: 0
      CidrIp: 192.0.2.0/24
      DestinationSecurityGroupId:
        Fn::GetAtt:
        - TargetSG
        - GroupId
      GroupId:
        Fn::GetAtt:
        - SourceSG
        - GroupId
  InboundRule:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      Description: TCP
      IpProtocol: tcp
      FromPort: 0
      ToPort: 0
      CidrIpv6: 2001:0DB8:1234::/48
      SourceSecurityGroupId:
        Fn::GetAtt:
        - SourceSG
        - GroupId
      GroupId:
        Fn::GetAtt:
        - TargetSG
        - GroupId

Negative test num. 2 - json file{
  "Resources": {
    "InstanceSecurityGroup": {
      "Properties": {
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "Description": "TCP",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "192.0.2.0/24"
          }
        ],
        "SecurityGroupEgress": [
          {
            "ToPort": 80,
            "CidrIp": "192.0.2.0/24",
            "IpProtocol": "tcp",
            "Description": "TCP",
            "FromPort": 80
          }
        ],
        "GroupDescription": "Allow http to client host"
      },
      "Type": "AWS::EC2::SecurityGroup"
    },
    "OutboundRule": {
      "Type": "AWS::EC2::SecurityGroupEgress",
      "Properties": {
        "ToPort": 0,
        "CidrIp": "192.0.2.0/24",
        "DestinationSecurityGroupId": {
          "Fn::GetAtt": [
            "TargetSG",
            "GroupId"
          ]
        },
        "GroupId": {
          "Fn::GetAtt": [
            "SourceSG",
            "GroupId"
          ]
        },
        "Description": "TCP",
        "IpProtocol": "tcp",
        "FromPort": 0
      }
    },
    "InboundRule": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
        "ToPort": 0,
        "CidrIpv6": "2001:0DB8:1234::/48",
        "SourceSecurityGroupId": {
          "Fn::GetAtt": [
            "SourceSG",
            "GroupId"
          ]
        },
        "GroupId": {
          "Fn::GetAtt": [
            "TargetSG",
            "GroupId"
          ]
        },
        "Description": "TCP",
        "IpProtocol": "tcp",
        "FromPort": 0
      }
    }
  }
}