EC2 Sensitive Port Is Publicly Exposed

  • Query id: 494b03d3-bf40-4464-8524-7c56ad0700ed
  • Query name: EC2 Sensitive Port Is Publicly Exposed
  • Platform: CloudFormation
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

The EC2 instance has a sensitive port connection exposed to the entire network
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
  UnsafeSecGroup01:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow http and redis
      VpcId: my-vpc
      SecurityGroupIngress:
        - FromPort: 8080
          ToPort: 8080
          CidrIp: 127.0.0.1/32
          IpProtocol: tcp
        - IpProtocol: tcp
          FromPort: 6379
          ToPort: 6379
          CidrIp: 10.0.0.1/0
      SecurityGroupEgress:
        - FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
          IpProtocol: tcp
  EC2Instance01:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-79fd7eee
      InstanceType: t3.medium
      SecurityGroups:
        - UnsafeSecGroup01
      KeyName: my-new-rsa-key
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
  UnsafeSecGroup02:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow http and mysql
      VpcId: my-vpc
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 127.0.0.1/32
        - ToPort: 1434
          CidrIp: 10.0.0.1/0
          IpProtocol: tcp
          FromPort: 1433
        - IpProtocol: tcp
          FromPort: 150
          ToPort: 180
          CidrIp: 10.0.0.1/0
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
  EC2Instance02:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.medium
      SecurityGroups:
        - UnsafeSecGroup02
      KeyName: my-new-rsa-key
      ImageId: ami-79fd7eee
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
  UnsafeSecGroup03:
    Type: AWS::EC2::SecurityGroup
    Properties:
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
      GroupDescription: Allow http and hadoop
      VpcId: my-vpc
      SecurityGroupIngress:
        - ToPort: 80
          CidrIp: 0.0.0.0/0
          IpProtocol: tcp
          FromPort: 80
        - ToPort: 9000
          CidrIp: 10.0.0.1/0
          IpProtocol: tcp
          FromPort: 9000
  EC2Instance03:
    Type: AWS::EC2::Instance
    Properties:
      SecurityGroups:
        - UnsafeSecGroup03
      KeyName: my-new-rsa-key
      ImageId: ami-79fd7eee
      InstanceType: t3.medium

Positive test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
  UnsafeSecGroup04:
    Type: AWS::EC2::SecurityGroup
    Properties:
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
      GroupDescription: Allow LDAP and SNMP
      VpcId: my-vpc
      SecurityGroupIngress:
        - ToPort: 389
          FromPort: 389
          IpProtocol: all
          CidrIp: 10.0.0.0/0
        - ToPort: 150
          FromPort: 180
          IpProtocol: udp
          CidrIp: 10.0.0.1/0
        - ToPort: 53
          FromPort: 53
          IpProtocol: "-1"
          CidrIp: 10.0.0.1/0
  EC2Instance03:
    Type: AWS::EC2::Instance
    Properties:
      SecurityGroups:
        - UnsafeSecGroup04
      KeyName: my-new-rsa-key
      ImageId: ami-79fd7eee
      InstanceType: t3.medium
Positive test num. 5 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "UnsafeSecGroup01": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "SecurityGroupEgress": [
          {
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp"
          }
        ],
        "GroupDescription": "Allow http and redis",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "FromPort": 8080,
            "ToPort": 8080,
            "CidrIp": "127.0.0.1/32",
            "IpProtocol": "tcp"
          },
          {
            "IpProtocol": "tcp",
            "FromPort": 6379,
            "ToPort": 6379,
            "CidrIp": "10.0.0.1/0"
          }
        ]
      }
    },
    "EC2Instance01": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "ImageId": "ami-79fd7eee",
        "InstanceType": "t3.medium",
        "SecurityGroups": [
          "UnsafeSecGroup01"
        ],
        "KeyName": "my-new-rsa-key"
      }
    }
  }
}
Positive test num. 6 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "UnsafeSecGroup02": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http and mysql",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "127.0.0.1/32"
          },
          {
            "CidrIp": "10.0.0.1/0",
            "IpProtocol": "tcp",
            "FromPort": 1433,
            "ToPort": 1434
          },
          {
            "IpProtocol": "tcp",
            "FromPort": 150,
            "ToPort": 180,
            "CidrIp": "10.0.0.1/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp"
          }
        ]
      }
    },
    "EC2Instance02": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "SecurityGroups": [
          "UnsafeSecGroup02"
        ],
        "KeyName": "my-new-rsa-key",
        "ImageId": "ami-79fd7eee",
        "InstanceType": "t3.medium"
      }
    }
  }
}
Positive test num. 7 - json file
{
  "Resources": {
    "UnsafeSecGroup03": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22
          }
        ],
        "GroupDescription": "Allow http and hadoop",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp"
          },
          {
            "ToPort": 9000,
            "CidrIp": "10.0.0.1/0",
            "IpProtocol": "tcp",
            "FromPort": 9000
          }
        ]
      }
    },
    "EC2Instance03": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "SecurityGroups": [
          "UnsafeSecGroup03"
        ],
        "KeyName": "my-new-rsa-key",
        "ImageId": "ami-79fd7eee",
        "InstanceType": "t3.medium"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z"
}
Positive test num. 8 - json file
{
  "Resources": {
    "UnsafeSecGroup04": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22
          }
        ],
        "GroupDescription": "Allow LDAP and SNMP",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "CidrIp": "10.0.0.0/0",
            "ToPort": 389,
            "FromPort": 389,
            "IpProtocol": "all"
          },
          {
            "FromPort": 180,
            "IpProtocol": "udp",
            "CidrIp": "10.0.0.1/0",
            "ToPort": 150
          },
          {
            "IpProtocol": "-1",
            "CidrIp": "10.0.0.1/0",
            "ToPort": 53,
            "FromPort": 53
          }
        ]
      }
    },
    "EC2Instance03": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "SecurityGroups": [
          "UnsafeSecGroup04"
        ],
        "KeyName": "my-new-rsa-key",
        "ImageId": "ami-79fd7eee",
        "InstanceType": "t3.medium"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
  SafeSecGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 127.0.0.1/32
      GroupDescription: Allow http and ssh
      VpcId: my-vpc
      SecurityGroupIngress:
        - FromPort: 80
          ToPort: 80
          CidrIp: 127.0.0.1/32
          IpProtocol: tcp
        - ToPort: 77
          CidrIp: 127.0.0.1/32
          IpProtocol: all
          FromPort: 77
  MyNegativeEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      SecurityGroups:
        - SafeSecGroup
      KeyName: my-new-rsa-key
      ImageId: ami-79fd7eee
      InstanceType: t3.medium
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "SafeSecGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http and ssh",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "127.0.0.1/32",
            "IpProtocol": "tcp"
          },
          {
            "ToPort": 77,
            "CidrIp": "127.0.0.1/32",
            "IpProtocol": "all",
            "FromPort": 77
          }
        ],
        "SecurityGroupEgress": [
          {
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "127.0.0.1/32",
            "IpProtocol": "tcp"
          }
        ]
      }
    },
    "MyNegativeEC2Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "SecurityGroups": [
          "SafeSecGroup"
        ],
        "KeyName": "my-new-rsa-key",
        "ImageId": "ami-79fd7eee",
        "InstanceType": "t3.medium"
      }
    }
  }
}