ELB Sensitive Port Is Exposed To Entire Network
- Query id: 78055456-f670-4d2e-94d5-392d1cf4f5e4
- Query name: ELB Sensitive Port Is Exposed To Entire Network
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- Risk score: 7.7
- URL: Github
Description¶
The load balancer of the application with a sensitive port connection is exposed to the entire internet.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
LoadBalancer01:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Listeners:
- LoadBalancerPort: 80
InstancePort: 80
Protocol: HTTP
SecurityGroups:
- !Ref Positive1IPv4_1
- !Ref Positive1IPv4_2
- !Ref Positive1ArrayTestIPv4
- !Ref Positive1IPv6_1
- !Ref Positive1IPv6_2
- !Ref Positive1ArrayTestIPv6
Positive1IPv4_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow all protocols on all ports from 10.0.0.0/0"
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 22
ToPort: 22
CidrIp: "10.0.0.0/0"
Positive1IPv4_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Port 22 on TCP"
SecurityGroupIngress:
- IpProtocol: "6"
FromPort: 22
ToPort: 22
CidrIp: "192.168.0.0/0"
Positive1ArrayTestIPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Ports 137 and 138 on UDP"
SecurityGroupIngress:
- IpProtocol: "17"
FromPort: 137
ToPort: 137
CidrIp: "172.16.0.0/0"
- IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIp: "10.68.0.0" # not exposed
- IpProtocol: "udp"
FromPort: 138
ToPort: 138
CidrIp: "172.16.0.0/0"
# IPv6 Rules
Positive1IPv6_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow all ports on all protocols"
SecurityGroupIngress:
- IpProtocol: "6"
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
Positive1IPv6_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow port 22 on TCP"
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIpv6: "fd12:3456:789a::1/0"
Positive1ArrayTestIPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow ports 137 and 138 on UDP"
SecurityGroupIngress:
- IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIpv6: "fd00:abcd:1234::42/0"
- IpProtocol: "udp"
FromPort: 138
ToPort: 138
CidrIpv6: "fd00:abcd:1234::42/0"
Positive test num. 2 - yaml file
Resources:
LoadBalancer01:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- !Ref DualStackSecurityGroup
DualStackSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for IPv4 and IPv6 ingress rules"
VpcId: !Ref MyVPC
# IPv4 Rules
IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "17"
FromPort: 137
ToPort: 137
CidrIp: "10.0.0.0/0"
IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIp: "192.168.0.0/0"
IPv4Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIp: "172.16.0.0/0"
IPv4Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "udp"
FromPort: 138
ToPort: 138
CidrIp: "172.16.0.0/0"
# IPv6 Rules
IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "6"
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
IPv6Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIpv6: "fd12:3456:789a::1/0"
IPv6Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIpv6: "fd00:abcd:1234::42/0"
IPv6Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "udp"
FromPort: 138
ToPort: 138
CidrIpv6: "fd00:abcd:1234::42/0"
Positive test num. 3 - yaml file
# Test for classic load balancing Referencing Vulnerable "AWS::EC2::Instance"
Resources:
GatewayLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Instances:
- !Ref EC2Instance01
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.2xlarge
SecurityGroups:
- !Ref 'InstancesSecGroup'
KeyName: my-rsa-key
ImageId: ami-79fd7eee
InstancesSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 127.0.0.1/32
- IpProtocol: tcp
FromPort: 636
ToPort: 636
CidrIp: 127.0.0.1/0
- IpProtocol: udp
FromPort: 1000
ToPort: 5000
CidrIpv6: "fd00:abcd:1234::/0"
Positive test num. 4 - yaml file
Resources:
LoadBalancer01:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- !Ref DualStackSecurityGroup
DualStackSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for IPv4 and IPv6 ingress rules"
VpcId: !Ref MyVPC
SecurityGroupIngress:
# -----------------------
# IPv4 Rules
# -----------------------
- IpProtocol: "17" # UDP (protocol 17)
FromPort: 137
ToPort: 137
CidrIp: "10.0.0.0/0"
- IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIp: "192.168.0.0/0"
- IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIp: "172.16.0.0/0"
- IpProtocol: "udp"
FromPort: 138
ToPort: 138
CidrIp: "172.16.0.0/0"
# -----------------------
# IPv6 Rules
# -----------------------
- IpProtocol: "6" # TCP (protocol 6)
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
- IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIpv6: "fd12:3456:789a::1/0"
- IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIpv6: "fd00:abcd:1234::42/0"
- IpProtocol: "udp"
FromPort: 138
ToPort: 138
CidrIpv6: "fd00:abcd:1234::42/0"
Positive test num. 5 - json file
{
"Resources": {
"LoadBalancer01": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"Listeners": [
{
"LoadBalancerPort": 80,
"InstancePort": 80,
"Protocol": "HTTP"
}
],
"SecurityGroups": [
{ "Ref": "Positive1IPv4_1" },
{ "Ref": "Positive1IPv4_2" },
{ "Ref": "Positive1ArrayTestIPv4" },
{ "Ref": "Positive1IPv6_1" },
{ "Ref": "Positive1IPv6_2" },
{ "Ref": "Positive1ArrayTestIPv6" }
]
}
},
"Positive1IPv4_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow all protocols on all ports from 10.0.0.0/0",
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "10.0.0.0/0"
}
]
}
},
"Positive1IPv4_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Port 22 on TCP",
"SecurityGroupIngress": [
{
"IpProtocol": "6",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "192.168.0.0/0"
}
]
}
},
"Positive1ArrayTestIPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Ports 137 and 138 on UDP",
"SecurityGroupIngress": [
{
"IpProtocol": "17",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "172.16.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "10.68.0.0"
},
{
"IpProtocol": "udp",
"FromPort": 138,
"ToPort": 138,
"CidrIp": "172.16.0.0/0"
}
]
}
},
"Positive1IPv6_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow all ports on all protocols",
"SecurityGroupIngress": [
{
"IpProtocol": "6",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
}
]
}
},
"Positive1IPv6_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow port 22 on TCP",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd12:3456:789a::1/0"
}
]
}
},
"Positive1ArrayTestIPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow ports 137 and 138 on UDP",
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIpv6": "fd00:abcd:1234::42/0"
},
{
"IpProtocol": "udp",
"FromPort": 138,
"ToPort": 138,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
]
}
}
}
}
Positive test num. 6 - json file
{
"Resources": {
"LoadBalancer01": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
{ "Ref": "DualStackSecurityGroup" }
]
}
},
"DualStackSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for IPv4 and IPv6 ingress rules",
"VpcId": { "Ref": "MyVPC" }
}
},
"IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "17",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "10.0.0.0/0"
}
},
"IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "192.168.0.0/0"
}
},
"IPv4Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "172.16.0.0/0"
}
},
"IPv4Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "udp",
"FromPort": 138,
"ToPort": 138,
"CidrIp": "172.16.0.0/0"
}
},
"IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "6",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
}
},
"IPv6Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd12:3456:789a::1/0"
}
},
"IPv6Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
},
"IPv6Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "udp",
"FromPort": 138,
"ToPort": 138,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
}
}
}
Positive test num. 7 - json file
{
"Resources": {
"GatewayLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"Instances": [
{
"Ref": "EC2Instance01"
}
]
}
},
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": "t3.2xlarge",
"SecurityGroups": [
{
"Ref": "InstancesSecGroup"
}
],
"KeyName": "my-rsa-key",
"ImageId": "ami-79fd7eee"
}
},
"InstancesSecGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http and ssh",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "127.0.0.1/32"
},
{
"IpProtocol": "tcp",
"FromPort": 636,
"ToPort": 636,
"CidrIp": "127.0.0.1/0"
},
{
"IpProtocol": "udp",
"FromPort": 1000,
"ToPort": 5000,
"CidrIpv6": "fd00:abcd:1234::/0"
}
]
}
}
}
}
Positive test num. 8 - json file
{
"Resources": {
"LoadBalancer01": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
{
"Ref": "DualStackSecurityGroup"
}
]
}
},
"DualStackSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for IPv4 and IPv6 ingress rules",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "17",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "10.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "192.168.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "172.16.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": 138,
"ToPort": 138,
"CidrIp": "172.16.0.0/0"
},
{
"IpProtocol": "6",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd12:3456:789a::1/0"
},
{
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIpv6": "fd00:abcd:1234::42/0"
},
{
"IpProtocol": "udp",
"FromPort": 138,
"ToPort": 138,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
# Test classic load balancing - LoadBalancer security groups with inline ingresses
Resources:
LoadBalancer01:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- !Ref Negative1IPv4_1
- !Ref Negative1IPv4_2
- !Ref Negative1ArrayTestIPv4
- !Ref Negative1IPv6_1
- !Ref Negative1IPv6_2
- !Ref Negative1ArrayTestIPv6
# Ipv4 Rules
Negative1IPv4_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Incorrect protocol: ICMP"
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "icmp"
FromPort: 22
ToPort: 22
CidrIp: "10.0.0.0/0"
Negative1IPv4_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Unknown port: port 5000"
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "6"
FromPort: 5000
ToPort: 5000
CidrIp: "192.168.0.0/0"
Negative1ArrayTestIPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Mixed incorrect CIDRs and protocols"
VpcId: !Ref MyVPC
SecurityGroupIngress:
# incorrect cidr (not exposed)
- IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIp: "8.8.0.0/16"
# all fields "incorrect"
- IpProtocol: "icmp"
FromPort: 5000
ToPort: 5000
CidrIp: "10.68.0.0/14"
# IPv6 Rules
Positive1IPv6_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Incorrect protocol: ICMPV6"
SecurityGroupIngress:
- IpProtocol: "58" # protocol number 58 is "icmpv6" = incorrect protocol
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
Positive1IPv6_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Unknown port: port 5000"
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 5000 # unknown port
ToPort: 5000
CidrIpv6: "fd12:3456:789a::1/0"
Positive1ArrayTestIPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Mixed incorrect CIDR and 'All incorrect'"
SecurityGroupIngress:
- IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed)
- IpProtocol: "58" # all fields "incorrect"
FromPort: 110
ToPort: 110
CidrIpv6: "fd00:abcd:1234::42/0"
Negative test num. 2 - json file
{
"Resources": {
"LoadBalancer01": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
{
"Ref": "MainSecurityGroup"
}
]
}
},
"MainSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group containing all negative/positive tests (standalone ingress)",
"VpcId": {
"Ref": "MyVPC"
}
}
},
"Negative1IPv4_1_Ingress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "MainSecurityGroup"
},
"IpProtocol": "icmp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "10.0.0.0/0"
}
},
"Negative1IPv4_2_Ingress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "MainSecurityGroup"
},
"IpProtocol": "6",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "192.168.0.0/0"
}
},
"Negative1ArrayTestIPv4_Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "MainSecurityGroup"
},
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "8.8.0.0/16"
}
},
"Negative1ArrayTestIPv4_Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "MainSecurityGroup"
},
"IpProtocol": "icmp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "10.68.0.0/14"
}
},
"Positive1IPv6_1_Ingress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "MainSecurityGroup"
},
"IpProtocol": "58",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
}
},
"Positive1IPv6_2_Ingress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "MainSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "fd12:3456:789a::1/0"
}
},
"Positive1ArrayTestIPv6_Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "MainSecurityGroup"
},
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIpv6": "2400:cb00::/32"
}
},
"Positive1ArrayTestIPv6_Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "MainSecurityGroup"
},
"IpProtocol": "58",
"FromPort": 110,
"ToPort": 110,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
}
}
}
Negative test num. 3 - yaml file
# Test classic load balancing - LoadBalancer security groups with stand alone ingresses
Resources:
LoadBalancer01:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- !Ref Negative2SecurityGroup
Negative2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for negative test cases"
VpcId: !Ref MyVPC
# IPv4 Rules
Negative2IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "icmp" # incorrect protocol
FromPort: 22
ToPort: 22
CidrIp: "10.0.0.0/0"
Negative2IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 5000 # unknown port
ToPort: 5000
CidrIp: "192.168.0.0/0"
Negative2IPv4Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIp: "8.8.0.0/16" # incorrect cidr (not exposed)
Negative2IPv4Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup # all fields "incorrect"
IpProtocol: "icmp"
FromPort: 5000
ToPort: 5000
CidrIp: "8.8.0.0/16"
# IPv6 Rules
Negative2IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "58" # protocol number 58 is "icmpv6" = incorrect protocol
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
Negative2IPv6Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 5000 # unknown port
ToPort: 5000
CidrIpv6: "fd12:3456:789a::1/0"
Negative2IPv6Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed)
Negative2IPv6Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup # all fields "incorrect"
IpProtocol: "58" # ICMPv6
FromPort: 5000
ToPort: 5000
CidrIpv6: "2400:cb00::/32"
Negative test num. 4 - yaml file
# Test for classic load balancing referencing "AWS::EC2::Instance"
Resources:
GatewayLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Instances:
- !Ref EC2Instance01
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.2xlarge
SecurityGroups:
- !Ref InstancesSecGroup
KeyName: my-rsa-key
ImageId: ami-79fd7eee
InstancesSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for test cases
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 8000
ToPort: 8000
CidrIp: 127.0.0.1/32
- IpProtocol: "icmp" # protocolo inválido
FromPort: 22
ToPort: 22
CidrIp: "10.0.0.0/0" # termina em /0
- IpProtocol: "50" # protocolo inválido (ESP)
FromPort: 443
ToPort: 443
CidrIp: "192.168.0.0/0" # termina em /0
Negative test num. 5 - yaml file
Resources:
LoadBalancer01:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- !Ref SGCase1
- !Ref SGCase2
- !Ref SGCase3
- !Ref SGCase4
- !Ref SGCase5
- !Ref SGCase6
SGCase2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "IPv4 Case 2 - /0 without insecure ports"
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 5000
ToPort: 5000
CidrIp: "192.168.0.0/0"
SGCase3:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "IPv4 Case 3 - insecure ports in range, invalid protocol"
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "icmp" # not -1,6,TCP,UDP,17
FromPort: 20
ToPort: 5000 # insecure ports in this range
CidrIp: "8.8.0.0/16"
SGCase5:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "IPv6 Case 2 - /0 without insecure ports"
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 5000
ToPort: 5000
CidrIpv6: "fd12:3456:789a::1/0"
SGCase6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "IPv6 Case 3 - insecure ports in range, invalid protocol"
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "58" # ICMPv6, not in allowed list
FromPort: 20
ToPort: 5000
CidrIpv6: "2400:cb00::/32"
Negative test num. 6 - yaml file
Resources:
LoadBalancer01:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- !Ref MainSecurityGroup
MainSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group containing all negative/positive tests (standalone ingress)"
VpcId: !Ref MyVPC
Negative1IPv4_1_Ingress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref MainSecurityGroup
IpProtocol: "icmp"
FromPort: 22
ToPort: 22
CidrIp: "10.0.0.0/0"
Negative1IPv4_2_Ingress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref MainSecurityGroup
IpProtocol: "6"
FromPort: 5000
ToPort: 5000
CidrIp: "192.168.0.0/0"
Negative1ArrayTestIPv4_Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref MainSecurityGroup
IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIp: "8.8.0.0/16" # incorrect cidr (not exposed)
Negative1ArrayTestIPv4_Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref MainSecurityGroup
IpProtocol: "icmp"
FromPort: 5000
ToPort: 5000
CidrIp: "10.68.0.0/14" # all fields incorrect
Positive1IPv6_1_Ingress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref MainSecurityGroup
IpProtocol: "58" # ICMPv6
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
Positive1IPv6_2_Ingress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref MainSecurityGroup
IpProtocol: "tcp"
FromPort: 5000
ToPort: 5000
CidrIpv6: "fd12:3456:789a::1/0"
Positive1ArrayTestIPv6_Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref MainSecurityGroup
IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed)
Positive1ArrayTestIPv6_Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref MainSecurityGroup
IpProtocol: "58" # all fields incorrect
FromPort: 110
ToPort: 110
CidrIpv6: "fd00:abcd:1234::42/0"
Negative test num. 7 - json file
{
"Resources": {
"LoadBalancer01": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
{ "Ref": "Negative1IPv4_1" },
{ "Ref": "Negative1IPv4_2" },
{ "Ref": "Negative1ArrayTestIPv4" },
{ "Ref": "Negative1IPv6_1" },
{ "Ref": "Negative1IPv6_2" },
{ "Ref": "Negative1ArrayTestIPv6" }
]
}
},
"Negative1IPv4_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Incorrect protocol: ICMP",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "icmp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "10.0.0.0/0"
}
]
}
},
"Negative1IPv4_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Unknown port: port 5000",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "6",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "192.168.0.0/0"
}
]
}
},
"Negative1ArrayTestIPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Mixed incorrect CIDRs and protocols",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "8.8.0.0/16"
},
{
"IpProtocol": "icmp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "10.68.0.0/14"
}
]
}
},
"Positive1IPv6_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Incorrect protocol: ICMPV6",
"SecurityGroupIngress": [
{
"IpProtocol": "58",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
}
]
}
},
"Positive1IPv6_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Unknown port: port 5000",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "fd12:3456:789a::1/0"
}
]
}
},
"Positive1ArrayTestIPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Mixed incorrect CIDR and 'All incorrect'",
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIpv6": "2400:cb00::/32"
},
{
"IpProtocol": "58",
"FromPort": 110,
"ToPort": 110,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
]
}
}
}
}
Negative test num. 8 - json file
{
"Resources": {
"LoadBalancer01": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
{ "Ref": "Negative2SecurityGroup" }
]
}
},
"Negative2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for negative test cases",
"VpcId": { "Ref": "MyVPC" }
}
},
"Negative2IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "icmp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "10.0.0.0/0"
}
},
"Negative2IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "192.168.0.0/0"
}
},
"Negative2IPv4Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "8.8.0.0/16"
}
},
"Negative2IPv4Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "icmp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "8.8.0.0/16"
}
},
"Negative2IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "58",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
}
},
"Negative2IPv6Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "fd12:3456:789a::1/0"
}
},
"Negative2IPv6Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIpv6": "2400:cb00::/32"
}
},
"Negative2IPv6Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "58",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "2400:cb00::/32"
}
}
}
}
Negative test num. 9 - json file
{
"Resources": {
"GatewayLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"Instances": [
{
"Ref": "EC2Instance01"
}
]
}
},
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": "t3.2xlarge",
"SecurityGroups": [
{
"Ref": "InstancesSecGroup"
}
],
"KeyName": "my-rsa-key",
"ImageId": "ami-79fd7eee"
}
},
"InstancesSecGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for test cases",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 8000,
"ToPort": 8000,
"CidrIp": "127.0.0.1/32"
},
{
"IpProtocol": "icmp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "10.0.0.0/0"
},
{
"IpProtocol": "50",
"FromPort": 443,
"ToPort": 443,
"CidrIp": "192.168.0.0/0"
}
]
}
}
}
}
Negative test num. 10 - json file
{
"Resources": {
"LoadBalancer01": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
{
"Ref": "SGCase1"
},
{
"Ref": "SGCase2"
},
{
"Ref": "SGCase3"
},
{
"Ref": "SGCase4"
},
{
"Ref": "SGCase5"
},
{
"Ref": "SGCase6"
}
]
}
},
"SGCase2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "IPv4 Case 2 - /0 without insecure ports",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "192.168.0.0/0"
}
]
}
},
"SGCase3": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "IPv4 Case 3 - insecure ports in range, invalid protocol",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "icmp",
"FromPort": 20,
"ToPort": 5000,
"CidrIp": "8.8.0.0/16"
}
]
}
},
"SGCase5": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "IPv6 Case 2 - /0 without insecure ports",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "fd12:3456:789a::1/0"
}
]
}
},
"SGCase6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "IPv6 Case 3 - insecure ports in range, invalid protocol",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "58",
"FromPort": 20,
"ToPort": 5000,
"CidrIpv6": "2400:cb00::/32"
}
]
}
}
}
}