Security Group With Unrestricted Access To SSH
- Query id: 6e856af2-62d7-4ba2-adc1-73b62cef9cc1
- Query name: Security Group With Unrestricted Access To SSH
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 284
- Risk score: 5.2
- URL: Github
Description¶
'SSH' (TCP:22) should not be public in AWS Security Group
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
# IPv4 Rules
Positive1IPv4_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Positive1IPv4_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 10
ToPort: 10
CidrIp: 0.0.0.0/0
Positive1ArrayTestIPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 0
ToPort: 30
CidrIp: 192.0.0.0/16 #should not flag - used to test array index search
- IpProtocol: "6"
FromPort: 10
ToPort: 40
CidrIp: 0.0.0.0/0
# IPv6 Rules
Positive1IPv6_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIpv6: "::/0"
Positive1IPv6_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 10
ToPort: 10
CidrIpv6: "::/0"
Positive1ArrayTestIPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 0
ToPort: 30
CidrIpv6: "2400:cb00::/32" #should not flag - used to test array index search
- IpProtocol: "6"
FromPort: 10
ToPort: 40
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
Positive test num. 2 - yaml file
Resources:
DualStackSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for IPv4 and IPv6 ingress rules"
VpcId: !Ref MyVPC
# IPv4 Rules
IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "-1"
FromPort: 10
ToPort: 10
CidrIp: "0.0.0.0/0"
IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 10
ToPort: 40
CidrIp: "0.0.0.0/0"
# IPv6 Rules
IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 0
ToPort: 30
CidrIpv6: "::/0"
IPv6Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 10
ToPort: 40
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
IPv6Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "-1"
FromPort: 10
ToPort: 10
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
Positive test num. 3 - json file
{
"Resources": {
"Positive1IPv4_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Positive1IPv4_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 10,
"ToPort": 10,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Positive1ArrayTestIPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 30,
"CidrIp": "192.0.0.0/16"
},
{
"IpProtocol": "6",
"FromPort": 10,
"ToPort": 40,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Positive1IPv6_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "::/0"
}
]
}
},
"Positive1IPv6_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 10,
"ToPort": 10,
"CidrIpv6": "::/0"
}
]
}
},
"Positive1ArrayTestIPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 30,
"CidrIpv6": "2400:cb00::/32"
},
{
"IpProtocol": "6",
"FromPort": 10,
"ToPort": 40,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
]
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"DualStackSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for IPv4 and IPv6 ingress rules",
"VpcId": {
"Ref": "MyVPC"
}
}
},
"IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "-1",
"FromPort": 10,
"ToPort": 10,
"CidrIp": "0.0.0.0/0"
}
},
"IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": 10,
"ToPort": 40,
"CidrIp": "0.0.0.0/0"
}
},
"IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 30,
"CidrIpv6": "::/0"
}
},
"IPv6Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": 10,
"ToPort": 40,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
},
"IPv6Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DualStackSecurityGroup"
},
"IpProtocol": "-1",
"FromPort": 10,
"ToPort": 10,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
# IPv4 Rules
Negative1IPv4_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "udp" # wrong protocol
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Negative1IPv4_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 100
ToPort: 200 # not catching port 22
CidrIp: 0.0.0.0/0
Negative1ArrayTestIPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 30
CidrIp: 192.0.0.0/16 # CidrIP is not 0:0:0:0/0
- IpProtocol: udp # all fields "incorrect"
FromPort: 4000
ToPort: 4000
CidrIp: 192.120.0.0/16
# IPv6 Rules
Negative1IPv6_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "udp" # wrong protocol
FromPort: 22
ToPort: 22
CidrIpv6: "::/0"
Negative1IPv6_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 100
ToPort: 200 # not catching port 22
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
Negative1ArrayTestIPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 30
CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0
- IpProtocol: "udp" # all fields "incorrect"
FromPort: 4000
ToPort: 4000
CidrIpv6: "2400:cb00::/32"
Negative test num. 2 - yaml file
Resources:
Negative2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for negative test cases"
VpcId: !Ref MyVPC
# IPv4 Rules
Negative2IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp" # incorrect protocol
FromPort: 22
ToPort: 22
CidrIp: "0.0.0.0/0"
Negative2IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 100 # not catching port 22
ToPort: 200
CidrIp: "0.0.0.0/0"
Negative2IPv4Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "-1"
FromPort: 0
ToPort: 30
CidrIp: "8.8.0.0/16" # CidrIP is not 0:0:0:0/0
Negative2IPv4Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp" # all fields "incorrect"
FromPort: 4000
ToPort: 4000
CidrIp: "8.8.0.0/16"
# IPv6 Rules
Negative2IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp" # incorrect protocol
FromPort: 22
ToPort: 22
CidrIpv6: "::/0"
Negative2IPv6Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 4000 # not catching port 22
ToPort: 4000
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
Negative2IPv6Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "-1"
FromPort: 0
ToPort: 30
CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0
Negative2IPv6Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup # all fields "incorrect"
IpProtocol: "udp"
FromPort: 4000
ToPort: 4000
CidrIpv6: "2400:cb00::/32"
Negative test num. 3 - json file
{
"Negative1IPv4_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Negative1IPv4_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 100,
"ToPort": 200,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Negative1ArrayTestIPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 30,
"CidrIp": "192.0.0.0/16"
},
{
"IpProtocol": "udp",
"FromPort": 4000,
"ToPort": 4000,
"CidrIp": "192.120.0.0/16"
}
]
}
},
"Negative1IPv6_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "::/0"
}
]
}
},
"Negative1IPv6_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 100,
"ToPort": 200,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
]
}
},
"Negative1ArrayTestIPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 30,
"CidrIpv6": "2400:cb00::/32"
},
{
"IpProtocol": "udp",
"FromPort": 4000,
"ToPort": 4000,
"CidrIpv6": "2400:cb00::/32"
}
]
}
}
}
Negative test num. 4 - json file
{
"Negative2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for negative test cases",
"VpcId": { "Ref": "MyVPC" }
}
},
"Negative2IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
},
"Negative2IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 100,
"ToPort": 200,
"CidrIp": "0.0.0.0/0"
}
},
"Negative2IPv4Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 30,
"CidrIp": "8.8.0.0/16"
}
},
"Negative2IPv4Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 4000,
"ToPort": 4000,
"CidrIp": "8.8.0.0/16"
}
},
"Negative2IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "::/0"
}
},
"Negative2IPv6Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 4000,
"ToPort": 4000,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
},
"Negative2IPv6Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 30,
"CidrIpv6": "2400:cb00::/32"
}
},
"Negative2IPv6Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 4000,
"ToPort": 4000,
"CidrIpv6": "2400:cb00::/32"
}
}
}