ELB With Security Group Without Outbound Rules
- Query id: 01d5a458-a6c4-452a-ac50-054d59275b7c
- Query name: ELB With Security Group Without Outbound Rules
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithoutegress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- sgwithoutegress
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithoutegress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic"
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
"sgwithoutegress"
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithegress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- sgwithegress
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithegress": {
"Properties": {
"GroupDescription": "Limits security group egress traffic",
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
},
"Type": "AWS::EC2::SecurityGroup"
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
"sgwithegress"
]
}
}
}
}