Public and Private EC2 Share Role
- Query id: c53c7a89-f9d7-4c7b-8b66-8a555be99593
- Query name: Public and Private EC2 Share Role
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Public and private EC2 istances should not share the same role.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
locals {
test_description = "two EC2s, one public, one private"
test_name = "Ec2RoleShareRule test - use case 1"
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "Ec2RoleShareRule1"
azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
cidr = "10.0.0.0/16"
manage_default_security_group= true
default_security_group_ingress = [
{
from_port = 22
to_port = 22
protocol = "tcp"
description = "ssh"
cidr_blocks = "0.0.0.0/0"
}]
default_security_group_egress =[]
version = "3.7.0"
}
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_instance_profile" "test_profile" {
name = "test_profile"
role = "aws_iam_role.test_role.name"
}
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = "aws_iam_role.test_role.id"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_instance" "pub_ins" {
ami = "data.aws_ami.ubuntu.id"
instance_type = "t2.micro"
subnet_id = module.vpc.public_subnets[0]
iam_instance_profile = aws_iam_instance_profile.test_profile.name
}
resource "aws_instance" "priv_ins" {
ami = "data.aws_ami.ubuntu.id"
instance_type = "t2.micro"
subnet_id = module.vpc.private_subnets[0]
iam_instance_profile = aws_iam_instance_profile.test_profile.name
}
Positive test num. 2 - tf file
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "Ec2RoleShareRule1"
azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
cidr = "10.0.0.0/16"
manage_default_security_group = true
default_security_group_ingress = [
{
from_port = 22
to_port = 22
protocol = "tcp"
description = "ssh"
cidr_blocks = "0.0.0.0/0"
}]
default_security_group_egress = []
version = "3.7.0"
}
module "ec2_public_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 3.0"
name = "single-instance"
ami = "ami-ebd02392"
instance_type = "t2.micro"
key_name = "user1"
monitoring = true
vpc_security_group_ids = ["sg-12345678"]
subnet_id = module.vpc.public_subnets[0]
iam_instance_profile = aws_iam_instance_profile.test_profile1.name
tags = {
Terraform = "true"
Environment = "dev"
}
}
module "ec2_private_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 3.0"
name = "single-instance"
ami = "ami-ebd02392"
instance_type = "t2.micro"
key_name = "user1"
monitoring = true
vpc_security_group_ids = ["sg-12345678"]
subnet_id = module.vpc.private_subnets[0]
iam_instance_profile = aws_iam_instance_profile.test_profile1.name
tags = {
Terraform = "true"
Environment = "dev"
}
}
resource "aws_iam_instance_profile" "test_profile1" {
name = "test_profile"
role = "aws_iam_role.test_role1.name"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
locals {
test_description = "two EC2s, one public, one private"
test_name = "Ec2RoleShareRule test - use case 1"
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "Ec2RoleShareRule1"
azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
cidr = "10.0.0.0/16"
manage_default_security_group= true
default_security_group_ingress = [
{
from_port = 22
to_port = 22
protocol = "tcp"
description = "ssh"
cidr_blocks = "0.0.0.0/0"
}]
default_security_group_egress =[]
version = "3.7.0"
}
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_iam_role" "test_role2" {
name = "test_role2"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_instance_profile" "test_profile2" {
name = "test_profile"
role = "aws_iam_role.test_role2.name"
}
resource "aws_iam_role_policy" "test_policy2" {
name = "test_policy"
role = "aws_iam_role.test_role2.id"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_instance" "pub_ins2" {
ami = "data.aws_ami.ubuntu.id"
instance_type = "t2.micro"
subnet_id = module.vpc.public_subnets[0]
iam_instance_profile = aws_iam_instance_profile.test_profile2.name
}
resource "aws_instance" "priv_ins2" {
ami = "data.aws_ami.ubuntu.id"
instance_type = "t2.micro"
subnet_id = module.vpc.private_subnets[0]
iam_instance_profile = aws_iam_instance_profile.test_profile3.name
}
Negative test num. 2 - tf file
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "Ec2RoleShareRule1"
azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
cidr = "10.0.0.0/16"
manage_default_security_group = true
default_security_group_ingress = [
{
from_port = 22
to_port = 22
protocol = "tcp"
description = "ssh"
cidr_blocks = "0.0.0.0/0"
}]
default_security_group_egress = []
version = "3.7.0"
}
module "ec2_public_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 3.0"
name = "single-instance"
ami = "ami-ebd02392"
instance_type = "t2.micro"
key_name = "user1"
monitoring = true
vpc_security_group_ids = ["sg-12345678"]
subnet_id = module.vpc.public_subnets[0]
iam_instance_profile = aws_iam_instance_profile.test_profile5.name
tags = {
Terraform = "true"
Environment = "dev"
}
}
module "ec2_private_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 3.0"
name = "single-instance"
ami = "ami-ebd02392"
instance_type = "t2.micro"
key_name = "user1"
monitoring = true
vpc_security_group_ids = ["sg-12345678"]
subnet_id = module.vpc.private_subnets[0]
iam_instance_profile = aws_iam_instance_profile.test_profile4.name
tags = {
Terraform = "true"
Environment = "dev"
}
}
resource "aws_iam_instance_profile" "test_profile4" {
name = "test_profile"
role = "aws_iam_role.test_role4.name"
}
resource "aws_iam_instance_profile" "test_profile5" {
name = "test_profile"
role = "aws_iam_role.test_role5.name"
}