Security Group Rule Without Description
- Query id: 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e
- Query name: Security Group Rule Without Description
- Platform: Terraform
- Severity: Info
- Category: Best Practices
- URL: Github
Description¶
It's considered a best practice for all rules in AWS Security Group to have a description
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_security_group" "allow_tls" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "allow_tls"
}
}
Positive test num. 2 - tf file
resource "aws_security_group" "positive2" {
name = "${var.prefix}-external-http-https"
description = "Allow main HTTP / HTTPS"
vpc_id = local.vpc_id
ingress {
description = "Enable HTTP access for select VMs"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.prefix}-external-http-https"
}
}
Positive test num. 3 - tf file
resource "aws_security_group" "positive3" {
name = "${var.prefix}-external-http-https"
description = "Allow main HTTP / HTTPS"
vpc_id = local.vpc_id
tags = {
Name = "${var.prefix}-external-http-https"
}
}
resource "aws_security_group_rule" "positive3a" {
description = "Enable HTTP access for select VMs"
from_port = 80
to_port = 80
cidr_blocks = ["0.0.0.0/0"]
protocol = "tcp"
security_group_id = aws_security_group.positive3.id
type = "ingress"
}
resource "aws_security_group_rule" "positive3b" {
from_port = 443
to_port = 443
cidr_blocks = ["0.0.0.0/0"]
protocol = "tcp"
security_group_id = aws_security_group.positive3.id
type = "ingress"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_security_group" "allow_tls" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
}
tags = {
Name = "allow_tls"
}
}
Negative test num. 2 - tf file
resource "aws_security_group" "negative2" {
name = "${var.prefix}-external-http-https"
description = "Allow main HTTP / HTTPS"
vpc_id = local.vpc_id
ingress {
description = "Enable HTTP access for select VMs"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "Enable HTTPS access for select VMs"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.prefix}-external-http-https"
}
}
Negative test num. 3 - tf file
resource "aws_security_group" "negative3" {
name = "${var.prefix}-external-http-https"
description = "Allow main HTTP / HTTPS"
vpc_id = local.vpc_id
tags = {
Name = "${var.prefix}-external-http-https"
}
}
resource "aws_security_group_rule" "negative3a" {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.negative3.id
type = "ingress"
description = "Enable HTTP access for select VMs"
}
resource "aws_security_group_rule" "negative3b" {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.negative3.id
type = "ingress"
description = "Enable HTTPS access for select VMs"
}