Security Groups Allows Unrestricted Outbound Traffic
- Query id: 66f2d8f9-a911-4ced-ae27-34f09690bb2c
- Query name: Security Groups Allows Unrestricted Outbound Traffic
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 200
- Risk score: 5.2
- URL: Github
Description¶
Security group should never allow unrestricted egress access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
Positive1_security_group:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Open security group
VpcId: !Ref MyVPC
SecurityGroupEgress:
- IpProtocol: "-1"
FromPort: 2000
ToPort: 2000
CidrIp: 0.0.0.0/0
# Standalone IPv4 egress rule
Positive1_egress_ipv4:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref Positive1_security_group
IpProtocol: "-1"
FromPort: 3000
ToPort: 3000
CidrIp: 0.0.0.0/0
# Standalone IPv6 egress rule
Positive1_egress_ipv6:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref Positive1_security_group
IpProtocol: "-1"
FromPort: 4000
ToPort: 4000
CidrIpv6: ::/0
Positive test num. 2 - yaml file
Resources:
Positive2_security_group:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Open security group
VpcId: !Ref MyVPC
SecurityGroupEgress:
- IpProtocol: "-1"
FromPort: 2000
ToPort: 2000
CidrIpv6: ::/0
# Standalone IPv6 egress rule
Positive2_egress_ipv6:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref Positive2_security_group
IpProtocol: "-1"
FromPort: 4000
ToPort: 4000
CidrIpv6: 0:0:0:0:0:0:0:0/0
Positive test num. 3 - json file
{
"Resources": {
"Positive3_security_group": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Open security group",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupEgress": [
{
"IpProtocol": "-1",
"FromPort": 2000,
"ToPort": 2000,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Positive3_egress_ipv4": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "Positive3_security_group"
},
"IpProtocol": "-1",
"FromPort": 3000,
"ToPort": 3000,
"CidrIp": "0.0.0.0/0"
}
},
"Positive3_egress_ipv6": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "Positive3_security_group"
},
"IpProtocol": "-1",
"FromPort": 4000,
"ToPort": 4000,
"CidrIpv6": "::/0"
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"Positive4_security_group": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Open security group",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupEgress": [
{
"IpProtocol": "-1",
"FromPort": 2000,
"ToPort": 2000,
"CidrIpv6": "::/0"
}
]
}
},
"Positive4_egress_ipv6": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "Positive4_security_group"
},
"IpProtocol": "-1",
"FromPort": 4000,
"ToPort": 4000,
"CidrIpv6": "0:0:0:0:0:0:0:0/0"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
Negative1_security_group:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Open security group
VpcId: !Ref MyVPC
SecurityGroupEgress:
- IpProtocol: tcp # protocol is not "-1"
FromPort: 2000
ToPort: 2000
CidrIp: 0.0.0.0/0
- IpProtocol: "-1"
FromPort: 2000
ToPort: 2000
CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0
- IpProtocol: "-1"
FromPort: 2000
ToPort: 2000
CidrIpv6: 2001:0db8::/32 # cidr is not ::/0
# Standalone IPv4 egress rules
Negative1_egress_ipv4_1:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref Negative1_security_group
IpProtocol: tcp # protocol is not "-1"
FromPort: 3000
ToPort: 3000
CidrIp: 0.0.0.0/0
Negative1_egress_ipv4_2:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref Negative1_security_group
IpProtocol: "-1"
FromPort: 3000
ToPort: 3000
CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0
# Standalone IPv6 egress rules
Negative1_egress_ipv6_1:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref Negative1_security_group
IpProtocol: tcp # protocol is not "-1"
FromPort: 4000
ToPort: 4000
CidrIpv6: ::/0
Negative1_egress_ipv6_2:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref Negative1_security_group
IpProtocol: "-1"
FromPort: 4000
ToPort: 4000
CidrIpv6: 2001:0db8::/32 # cidr is not ::/0
Negative test num. 2 - json file
{
"Resources": {
"Negative1_security_group": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Open security group",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 2000,
"ToPort": 2000,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "-1",
"FromPort": 2000,
"ToPort": 2000,
"CidrIp": "192.162.0.0/16"
},
{
"IpProtocol": "-1",
"FromPort": 2000,
"ToPort": 2000,
"CidrIpv6": "2001:0db8::/32"
}
]
}
},
"Negative1_egress_ipv4_1": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "Negative1_security_group"
},
"IpProtocol": "tcp",
"FromPort": 3000,
"ToPort": 3000,
"CidrIp": "0.0.0.0/0"
}
},
"Negative1_egress_ipv4_2": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "Negative1_security_group"
},
"IpProtocol": "-1",
"FromPort": 3000,
"ToPort": 3000,
"CidrIp": "192.162.0.0/16"
}
},
"Negative1_egress_ipv6_1": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "Negative1_security_group"
},
"IpProtocol": "tcp",
"FromPort": 4000,
"ToPort": 4000,
"CidrIpv6": "::/0"
}
},
"Negative1_egress_ipv6_2": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "Negative1_security_group"
},
"IpProtocol": "-1",
"FromPort": 4000,
"ToPort": 4000,
"CidrIpv6": "2001:0db8::/32"
}
}
}
}