Default Security Groups With Unrestricted Traffic
- Query id: 46883ce1-dc3e-4b17-9195-c6a601624c73
- Query name: Default Security Groups With Unrestricted Traffic
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Check if default security group does not restrict all inbound and outbound traffic.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
resource "aws_default_security_group" "positive1" {
vpc_id = aws_vpc.mainvpc.id
ingress {
protocol = -1
self = true
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_default_security_group" "positive2" {
vpc_id = aws_vpc.mainvpc.id
egress {
from_port = 0
to_port = 0
protocol = "-1"
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_default_security_group" "positive3" {
vpc_id = aws_vpc.mainvpc.id
ingress {
protocol = -1
self = true
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
ipv6_cidr_blocks = ["::/0"]
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_default_security_group" "negative1" {
vpc_id = aws_vpc.mainvpc.id
ingress {
protocol = -1
self = true
from_port = 0
to_port = 0
cidr_blocks = ["10.1.0.0/16"]
ipv6_cidr_blocks = ["250.250.250.1:8451"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["10.1.0.0/16"]
ipv6_cidr_blocks = ["250.250.250.1:8451"]
}
}