Unrestricted Security Group Ingress
- Query id: 4728cd65-a20c-49da-8b31-9c08b423e4db
- Query name: Unrestricted Security Group Ingress
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Security groups allow ingress from 0.0.0.0:0 and/or ::/0
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
resource "aws_security_group_rule" "positive1" {
type = "ingress"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.default.id
}
Postitive test num. 2 - tf file
resource "aws_security_group" "positive2" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.default.id
}
}
Postitive test num. 3 - tf file
resource "aws_security_group" "positive3" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["1.0.0.0/0"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
Postitive test num. 4 - tf file
Postitive test num. 5 - tf file
Postitive test num. 6 - tf file
Postitive test num. 7 - tf file
Postitive test num. 8 - tf file
Postitive test num. 9 - tf file
Postitive test num. 10 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_security_group_rule" "negative1" {
type = "ingress"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.2.0/0"]
security_group_id = aws_security_group.default.id
}
Negative test num. 2 - tf file
resource "aws_security_group" "negative2" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.2.0/0"]
security_group_id = aws_security_group.default.id
}
}
Negative test num. 3 - tf file
resource "aws_security_group" "negative3" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["1.0.0.0/0"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.1.0/0"]
}
}