DB Security Group Open To Large Scope
- Query id: 0104165b-02d5-426f-abc9-91fb48189899
- Query name: DB Security Group Open To Large Scope
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- Risk score: 7.8
- URL: Github
Description¶
The IP address in a DB Security Group must not have more than 256 hosts.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
DbSecurity: #legacy
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
- CIDRIP: 1.2.3.4/23
DbSecurityByEC2SecurityGroup1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
SecurityGroupIngress:
- CidrIp: 1.2.3.4/23
DbSecurityByEC2SecurityGroup2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
SecurityGroupIngress:
- CidrIpv6: 2001:db8:a::123/64
Positive test num. 2 - yaml file
Resources:
MyDBSecurityGroupIngress: #legacy
Type: AWS::RDS::DBSecurityGroupIngress
Properties:
DBSecurityGroupName: !Ref MyDBSecurityGroup
CIDRIP: 1.2.3.4/23
StandaloneIngressIPv4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DbSecurityByEC2SecurityGroup1
CidrIp: 1.2.3.4/23
StandaloneIngressIPv6:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DbSecurityByEC2SecurityGroup2
CidrIpv6: 2001:db8:a::123/64
Positive test num. 3 - json file
{
"Resources": {
"DbSecurity": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"DBSecurityGroupIngress": [
{
"CIDRIP": "1.2.3.4/23"
}
]
}
},
"DbSecurityByEC2SecurityGroup1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"SecurityGroupIngress": [
{
"CidrIp": "1.2.3.4/23"
}
]
}
},
"DbSecurityByEC2SecurityGroup2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"SecurityGroupIngress": [
{
"CidrIpv6": "2001:db8:a::123/64"
}
]
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"MyDBSecurityGroupIngress": {
"Type": "AWS::RDS::DBSecurityGroupIngress",
"Properties": {
"DBSecurityGroupName": {
"Ref": "MyDBSecurityGroup"
},
"CIDRIP": "1.2.3.4/23"
}
},
"StandaloneIngressIPv4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DbSecurityByEC2SecurityGroup1"
},
"CidrIp": "1.2.3.4/23"
}
},
"StandaloneIngressIPv6": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DbSecurityByEC2SecurityGroup2"
},
"CidrIpv6": "2001:db8:a::123/64"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
- CIDRIP: 1.2.3.4/28
DbSecurityByEC2SecurityGroup1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
SecurityGroupIngress:
- CidrIp: 1.2.3.4/28
DbSecurityByEC2SecurityGroup2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
SecurityGroupIngress:
- CidrIpv6: 2001:db8:a::123/121
Negative test num. 2 - yaml file
Resources:
MyDBSecurityGroupIngress: #legacy
Type: AWS::RDS::DBSecurityGroupIngress
Properties:
DBSecurityGroupName: !Ref MyDBSecurityGroup
CIDRIP: 1.2.3.4/28
StandaloneIngressIPv4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DbSecurityByEC2SecurityGroup1
CidrIp: 1.2.3.4/28
StandaloneIngressIPv6:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DbSecurityByEC2SecurityGroup2
CidrIpv6: 2001:db8:a::123/121
Negative test num. 3 - json file
{
"Resources": {
"DbSecurityByEC2SecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"DBSecurityGroupIngress": [
{
"CIDRIP": "1.2.3.4/28"
}
]
}
},
"DbSecurityByEC2SecurityGroup1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"SecurityGroupIngress": [
{
"CidrIp": "1.2.3.4/28"
}
]
}
},
"DbSecurityByEC2SecurityGroup2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"SecurityGroupIngress": [
{
"CidrIpv6": "2001:db8:a::123/121"
}
]
}
}
}
}
Negative test num. 4 - json file
{
"Resources": {
"MyDBSecurityGroupIngress": {
"Type": "AWS::RDS::DBSecurityGroupIngress",
"Properties": {
"DBSecurityGroupName": {
"Ref": "MyDBSecurityGroup"
},
"CIDRIP": "1.2.3.4/28"
}
},
"StandaloneIngressIPv4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DbSecurityByEC2SecurityGroup1"
},
"CidrIp": "1.2.3.4/28"
}
},
"StandaloneIngressIPv6": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DbSecurityByEC2SecurityGroup2"
},
"CidrIpv6": "2001:db8:a::123/121"
}
}
}
}