Unknown Port Exposed To Internet
- Query id: 829ce3b8-065c-41a3-ad57-e0accfea82d2
- Query name: Unknown Port Exposed To Internet
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
AWS Security Group should not have an unknown port exposed to the entire Internet
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Expose unknown port to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 23
ToPort: 25
CidrIp: 0.0.0.0/0
Positive test num. 2 - json file
{
"Resources": {
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Expose unknown port to client host",
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 110,
"ToPort": 119,
"CidrIp": "0.0.0.0/0"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Expose known ports to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 20
ToPort: 23
CidrIp: 0.0.0.0/0
Negative test num. 2 - json file
{
"Resources": {
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Expose known port to client host",
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
}
}
}
}