DB Security Group With Public Scope

  • Query id: 9564406d-e761-4e61-b8d7-5926e3ab8e79
  • Query name: DB Security Group With Public Scope
  • Platform: CloudFormation
  • Severity: Critical
  • Category: Networking and Firewall
  • URL: Github

Description

The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  DBEC2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Open database for access
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
  DBInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      PubliclyAccessible: true
      DBName:
        Ref: DBName
      Engine: MySQL
      MultiAZ:
        Ref: MultiAZDatabase
      MasterUsername:
        Ref: DBUser
      DBInstanceClass:
        Ref: DBClass
      AllocatedStorage:
        Ref: DBAllocatedStorage
      MasterUserPassword:
        Ref: DBPassword
      VPCSecurityGroups:
      - !GetAtt DBEC2SecurityGroup.GroupId
Positive test num. 2 - yaml file
Resources:
  DBinstance2:
    Type: AWS::RDS::DBInstance
    Properties:
      PubliclyAccessible: true
      DBSecurityGroups:
        -
          Ref: "DbSecurityByEC2SecurityGroup"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurityByEC2SecurityGroup:
    Type: AWS::RDS::DBSecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      DBSecurityGroupIngress:
        -
          CIDRIP: 0.0.0.0/0
Positive test num. 3 - yaml file
Resources:
  DBEC2SecurityGroup2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Open database for access
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIpv6: ::/0
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
  DBInstance3:
    Type: AWS::RDS::DBInstance
    Properties:
      PubliclyAccessible: true
      DBName:
        Ref: DBName
      Engine: MySQL
      MultiAZ:
        Ref: MultiAZDatabase
      MasterUsername:
        Ref: DBUser
      DBInstanceClass:
        Ref: DBClass
      AllocatedStorage:
        Ref: DBAllocatedStorage
      MasterUserPassword:
        Ref: DBPassword
      VPCSecurityGroups:
      - !GetAtt DBEC2SecurityGroup2.GroupId

Positive test num. 4 - json file
{
  "Resources": {
    "DBEC2SecurityGroup": {
      "Properties": {
        "GroupDescription": "Open database for access",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      },
      "Type": "AWS::EC2::SecurityGroup"
    },
    "DBInstance": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "PubliclyAccessible": true,
        "Engine": "MySQL",
        "MasterUsername": {
          "Ref": "DBUser"
        },
        "VPCSecurityGroups": [
          "DBEC2SecurityGroup.GroupId"
        ],
        "DBName": {
          "Ref": "DBName"
        },
        "MultiAZ": {
          "Ref": "MultiAZDatabase"
        },
        "DBInstanceClass": {
          "Ref": "DBClass"
        },
        "AllocatedStorage": {
          "Ref": "DBAllocatedStorage"
        },
        "MasterUserPassword": {
          "Ref": "DBPassword"
        }
      }
    }
  }
}
Positive test num. 5 - json file
{
  "Resources": {
    "DBinstance2": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "PubliclyAccessible": true,
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurityByEC2SecurityGroup"
          }
        ],
        "AllocatedStorage": "5",
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL",
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword"
      },
      "DeletionPolicy": "Snapshot"
    },
    "DbSecurityByEC2SecurityGroup": {
      "Type": "AWS::RDS::DBSecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "DBSecurityGroupIngress": [
          {
            "CIDRIP": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}
Positive test num. 6 - json file
{
  "Resources": {
    "DBEC2SecurityGroup2": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0"
          }
        ],
        "GroupDescription": "Open database for access",
        "SecurityGroupIngress": [
          {
            "CidrIpv6": "::/0",
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80
          }
        ]
      }
    },
    "DBInstance3": {
      "Properties": {
        "Engine": "MySQL",
        "AllocatedStorage": {
          "Ref": "DBAllocatedStorage"
        },
        "MasterUserPassword": {
          "Ref": "DBPassword"
        },
        "VPCSecurityGroups": [
          "DBEC2SecurityGroup2.GroupId"
        ],
        "PubliclyAccessible": true,
        "DBName": {
          "Ref": "DBName"
        },
        "MultiAZ": {
          "Ref": "MultiAZDatabase"
        },
        "MasterUsername": {
          "Ref": "DBUser"
        },
        "DBInstanceClass": {
          "Ref": "DBClass"
        }
      },
      "Type": "AWS::RDS::DBInstance"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
  DBEC2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Open database for access
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 1.2.3.4/24
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIpv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
  DBInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      PubliclyAccessible: true
      DBName:
        Ref: DBName
      Engine: MySQL
      MultiAZ:
        Ref: MultiAZDatabase
      MasterUsername:
        Ref: DBUser
      DBInstanceClass:
        Ref: DBClass
      AllocatedStorage:
        Ref: DBAllocatedStorage
      MasterUserPassword:
        Ref: DBPassword
      VPCSecurityGroups:
      - !GetAtt DBEC2SecurityGroup.GroupId
Negative test num. 2 - yaml file
Resources:
  DBinstance:
    Type: AWS::RDS::DBInstance
    Properties:
      PubliclyAccessible: true
      DBSecurityGroups:
        -
          Ref: "DbSecurityByEC2SecurityGroup"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurityByEC2SecurityGroup:
    Type: AWS::RDS::DBSecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      DBSecurityGroupIngress:
        -
          CIDRIP: 1.2.3.4/24
Negative test num. 3 - json file
{
  "Resources": {
    "DBEC2SecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "SecurityGroupIngress": [
          {
            "CidrIp": "1.2.3.4/24",
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80
          },
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIpv6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0"
          }
        ],
        "GroupDescription": "Open database for access"
      }
    },
    "DBInstance": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "PubliclyAccessible": true,
        "DBName": {
          "Ref": "DBName"
        },
        "MultiAZ": {
          "Ref": "MultiAZDatabase"
        },
        "MasterUsername": {
          "Ref": "DBUser"
        },
        "AllocatedStorage": {
          "Ref": "DBAllocatedStorage"
        },
        "Engine": "MySQL",
        "DBInstanceClass": {
          "Ref": "DBClass"
        },
        "MasterUserPassword": {
          "Ref": "DBPassword"
        },
        "VPCSecurityGroups": [
          "DBEC2SecurityGroup.GroupId"
        ]
      }
    }
  }
}

Negative test num. 4 - json file
{
  "Resources": {
    "DBinstance": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "AllocatedStorage": "5",
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL",
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword",
        "PubliclyAccessible": true,
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurityByEC2SecurityGroup"
          }
        ]
      },
      "DeletionPolicy": "Snapshot"
    },
    "DbSecurityByEC2SecurityGroup": {
      "Type": "AWS::RDS::DBSecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "DBSecurityGroupIngress": [
          {
            "CIDRIP": "1.2.3.4/24"
          }
        ]
      }
    }
  }
}