ELB With Security Group Without Outbound Rules
- Query id: 01d5a458-a6c4-452a-ac50-054d59275b7c
- Query name: ELB With Security Group Without Outbound Rules
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 665
- Risk score: 5.2
- URL: Github
Description¶
An AWS Elastic Load Balancer (ELB) shouldn't have security groups without outbound rules
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithoutegress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- sgwithoutegress
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySGv2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SG v2 with empty egress inline",
"VpcId": "vpc-123456",
"SecurityGroupEgress": []
}
},
"MyALB": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
"MySGv2"
],
"Subnets": [
"subnet-123",
"subnet-456"
]
}
}
}
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MySG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "SG with incorrect standalone egress"
VpcId: vpc-123456
WrongStandaloneEgress:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: wrong-ref
CidrIp: 0.0.0.0/0
IpProtocol: -1
MyClassicLB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- MySG
Listeners:
- LoadBalancerPort: 80
InstancePort: 80
Protocol: HTTP
Subnets:
- subnet-123
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SG with incorrect standalone egress",
"VpcId": "vpc-123456"
}
},
"WrongStandaloneEgress": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": "wrong-ref",
"CidrIp": "0.0.0.0/0",
"IpProtocol": -1
}
},
"MyClassicLB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
"MySG"
],
"Listeners": [
{
"LoadBalancerPort": 80,
"InstancePort": 80,
"Protocol": "HTTP"
}
],
"Subnets": [
"subnet-123"
]
}
}
}
}
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithoutegress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic"
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
"sgwithoutegress"
]
}
}
}
}
Positive test num. 6 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithegress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
sgEgressRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref wrong_ref
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MyLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- !Ref sgwithegress
Positive test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithegress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic"
}
},
"sgEgressRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "wrong_ref"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
{
"Ref": "sgwithegress"
}
]
}
}
}
}
Positive test num. 8 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MySG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "SG without egress inline"
VpcId: vpc-123456
MyClassicLB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- MySG
Listeners:
- LoadBalancerPort: 80
InstancePort: 80
Protocol: HTTP
Subnets:
- subnet-123
Positive test num. 9 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SG without egress inline",
"VpcId": "vpc-123456"
}
},
"MyClassicLB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
"MySG"
],
"Listeners": [
{
"LoadBalancerPort": 80,
"InstancePort": 80,
"Protocol": "HTTP"
}
],
"Subnets": [
"subnet-123"
]
}
}
}
}
Positive test num. 10 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MySG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "SG with empty egress inline"
VpcId: vpc-123456
SecurityGroupEgress: []
MyClassicLB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- MySG
Listeners:
- LoadBalancerPort: 80
InstancePort: 80
Protocol: HTTP
Subnets:
- subnet-123
Positive test num. 11 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SG with empty egress inline",
"VpcId": "vpc-123456",
"SecurityGroupEgress": []
}
},
"MyClassicLB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
"MySG"
],
"Listeners": [
{
"LoadBalancerPort": 80,
"InstancePort": 80,
"Protocol": "HTTP"
}
],
"Subnets": [
"subnet-123"
]
}
}
}
}
Positive test num. 12 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MySGv2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "SG v2 with empty egress inline"
VpcId: vpc-123456
SecurityGroupEgress: []
MyALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- MySGv2
Subnets:
- subnet-123
- subnet-456
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithegress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- sgwithegress
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithegress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic",
"SecurityGroupEgress": [
{
"ToPort": 80,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 80
}
]
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
"sgwithegress"
]
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithegress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
sgEgressRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref sgwithegress
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MyLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- !Ref sgwithegress
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithegress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic"
}
},
"sgEgressRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "sgwithegress"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
{
"Ref": "sgwithegress"
}
]
}
}
}
}
Negative test num. 5 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MySG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "SG with valid standalone egress"
VpcId: vpc-123456
MyStandaloneEgress:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref MySG
IpProtocol: -1
CidrIp: 0.0.0.0/0
MyClassicLB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- !Ref MySG
Listeners:
- LoadBalancerPort: 80
InstancePort: 80
Protocol: HTTP
Subnets:
- subnet-123
Negative test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SG with valid standalone egress",
"VpcId": "vpc-123456"
}
},
"MyStandaloneEgress": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "MySG"
},
"IpProtocol": -1,
"CidrIp": "0.0.0.0/0"
}
},
"MyClassicLB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
{
"Ref": "MySG"
}
],
"Listeners": [
{
"LoadBalancerPort": 80,
"InstancePort": 80,
"Protocol": "HTTP"
}
],
"Subnets": [
"subnet-123"
]
}
}
}
}
Negative test num. 7 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MySGv2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "SG with both inline and standalone egress"
VpcId: vpc-123456
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
MyStandaloneEgressv2:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref MySGv2
IpProtocol: -1
CidrIp: 0.0.0.0/0
MyALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- !Ref MySGv2
Subnets:
- subnet-aaa
- subnet-bbb
Negative test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySGv2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SG with both inline and standalone egress",
"VpcId": "vpc-123456",
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 443,
"ToPort": 443,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"MyStandaloneEgressv2": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "MySGv2"
},
"IpProtocol": -1,
"CidrIp": "0.0.0.0/0"
}
},
"MyALB": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
{
"Ref": "MySGv2"
}
],
"Subnets": [
"subnet-aaa",
"subnet-bbb"
]
}
}
}
}