VPC Default Security Group Accepts All Traffic
- Query id: 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75
- Query name: VPC Default Security Group Accepts All Traffic
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Default Security Group attached to every VPC should restrict all traffic
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_vpc" "mainvpc" {
cidr_block = "10.1.0.0/16"
}
resource "aws_default_security_group" "default" {
vpc_id = aws_vpc.mainvpc.id
ingress = [
{
protocol = -1
self = true
from_port = 0
to_port = 0
}
]
egress = [
{
from_port = 0
to_port = 0
protocol = "-1"
}
]
}
Positive test num. 2 - tf file
resource "aws_vpc" "mainvpc3" {
cidr_block = "10.1.0.0/16"
}
resource "aws_default_security_group" "default3" {
vpc_id = aws_vpc.mainvpc3.id
ingress = [
{
protocol = -1
self = true
from_port = 0
to_port = 0
ipv6_cidr_blocks = ["::/0"]
}
]
egress = [
{
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
]
}