DB Security Group With Public Scope
- Query id: 9564406d-e761-4e61-b8d7-5926e3ab8e79
- Query name: DB Security Group With Public Scope
- Platform: CloudFormation
- Severity: Critical
- Category: Networking and Firewall
- CWE: 668
- Risk score: 8.7
- URL: Github
Description¶
The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
# Legacy RDS DBSecurityGroup with inline ingress
DbSecurityByEC2SecurityGroupInline_pos1:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Legacy inline ingress"
DBSecurityGroupIngress:
- CIDRIP: 0.0.0.0/0
# Legacy RDS DBSecurityGroup with standalone ingress
DbSecurityByEC2SecurityGroupStandalone_pos1:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Legacy standalone ingress"
DbSecurityIngressRule_pos1:
Type: AWS::RDS::DBSecurityGroupIngress
Properties:
DBSecurityGroupName: !Ref DbSecurityByEC2SecurityGroupStandalone_pos1
CIDRIP: 0.0.0.0/0
# EC2 Security Group with inline IPv4 and IPv6 rules
DBEC2SecurityGroupInline_pos1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Inline IPv4 and IPv6 ingress"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: ::/0
# EC2 Security Group with standalone ingress rules
DBEC2SecurityGroupStandalone_pos1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Standalone IPv4 and IPv6 ingress"
VpcId: !Ref VPC
DBEC2SecurityGroupIngress_pos1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone_pos1
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
DBEC2SecurityGroupIngressIPv6_pos1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone_pos1
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
# Public RDS Instance referencing all security groups
DBInstance_pos1:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBName: !Ref DBName
Engine: MySQL
DBSecurityGroups:
- !Ref DbSecurityByEC2SecurityGroupInline_pos1
- !Ref DbSecurityByEC2SecurityGroupStandalone_pos1
VPCSecurityGroups:
- !Ref DBEC2SecurityGroupInline_pos1
- !Ref DBEC2SecurityGroupStandalone_pos1
Positive test num. 2 - yaml file
Resources:
DbSecurityByEC2SecurityGroup_pos2:
Type: AWS::RDS::DBSecurityGroup #legacy-inline
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
-
CIDRIP: 0.0.0.0/0
DBInstance:
Type: AWS::RDS::DBInstance
Properties: # Assumes public since "DBSubnetGroupName" is not set
DBName:
Ref: DBName
Engine: MySQL
DBSecurityGroups:
- !Ref DbSecurityByEC2SecurityGroup_pos2
Positive test num. 3 - json file
{
"Resources": {
"DbSecurityByEC2SecurityGroupInline_pos3": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Legacy inline ingress",
"DBSecurityGroupIngress": [
{
"CIDRIP": "0.0.0.0/0"
}
]
}
},
"DbSecurityByEC2SecurityGroupStandalone_pos3": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Legacy standalone ingress"
}
},
"DbSecurityIngressRule_pos3": {
"Type": "AWS::RDS::DBSecurityGroupIngress",
"Properties": {
"DBSecurityGroupName": {
"Ref": "DbSecurityByEC2SecurityGroupStandalone_pos3"
},
"CIDRIP": "0.0.0.0/0"
}
},
"DBEC2SecurityGroupInline_pos3": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Inline IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "::/0"
}
]
}
},
"DBEC2SecurityGroupStandalone_pos3": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Standalone IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
}
}
},
"DBEC2SecurityGroupIngress_pos3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone_pos3"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
},
"DBEC2SecurityGroupIngressIPv6_pos3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone_pos3"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
},
"DBInstance_pos3": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": true,
"DBName": {
"Ref": "DBName"
},
"Engine": "MySQL",
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroupInline_pos3"
},
{
"Ref": "DbSecurityByEC2SecurityGroupStandalone_pos3"
}
],
"VPCSecurityGroups": [
{
"Ref": "DBEC2SecurityGroupInline_pos3"
},
{
"Ref": "DBEC2SecurityGroupStandalone_pos3"
}
]
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"DbSecurityByEC2SecurityGroup_pos4": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"DBSecurityGroupIngress": [
{
"CIDRIP": "0.0.0.0/0"
}
]
}
},
"DBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName": {
"Ref": "DBName"
},
"Engine": "MySQL",
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroup_pos4"
}
]
}
}
}
}
Positive test num. 5 - yaml file
Resources:
DbSecurityByEC2SecurityGroup_pos5:
Type: AWS::RDS::DBSecurityGroup #legacy-inline
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
-
CIDRIP: 0.0.0.0/0
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: "true" #quoted string support test
DBName:
Ref: DBName
Engine: MySQL
DBSecurityGroups:
- !Ref DbSecurityByEC2SecurityGroup_pos5
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
# This sample does not flag because the cidr ips are not 0.0.0.0/0 or ::/0
# Legacy RDS DBSecurityGroup with inline ingress
DbSecurityByEC2SecurityGroupInline_neg1:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Legacy inline ingress"
DBSecurityGroupIngress:
- CIDRIP: 1.2.3.4/24
# Legacy RDS DBSecurityGroup with standalone ingress
DbSecurityByEC2SecurityGroupStandalone_neg1:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Legacy standalone ingress"
DbSecurityIngressRule_neg1:
Type: AWS::RDS::DBSecurityGroupIngress
Properties:
DBSecurityGroupName: !Ref DbSecurityByEC2SecurityGroupStandalone_neg1
CIDRIP: 1.2.3.4/24
# EC2 Security Group with inline IPv4 and IPv6 rules
DBEC2SecurityGroupInline_neg1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Inline IPv4 and IPv6 ingress"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 1.2.3.4/24
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
# EC2 Security Group with standalone ingress rules
DBEC2SecurityGroupStandalone_neg1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Standalone IPv4 and IPv6 ingress"
VpcId: !Ref VPC
DBEC2SecurityGroupIngress_neg1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone_neg1
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 1.2.3.4/24
DBEC2SecurityGroupIngressIPv6_neg1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone_neg1
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
# RDS Instance referencing all security groups
DBInstance_neg1:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBName: !Ref DBName
Engine: MySQL
DBSecurityGroups:
- !Ref DbSecurityByEC2SecurityGroupInline_neg1
- !Ref DbSecurityByEC2SecurityGroupStandalone_neg1
VPCSecurityGroups:
- !Ref DBEC2SecurityGroupInline_neg1
- !Ref DBEC2SecurityGroupStandalone_neg1
Negative test num. 2 - yaml file
Resources:
# This sample does not flag because "PubliclyAccessible" is set to false
# Legacy RDS DBSecurityGroup with inline ingress
DbSecurityByEC2SecurityGroupInline_neg2:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Legacy inline ingress"
DBSecurityGroupIngress:
- CIDRIP: 0.0.0.0/0
# Legacy RDS DBSecurityGroup with standalone ingress
DbSecurityByEC2SecurityGroupStandalone_neg2:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Legacy standalone ingress"
DbSecurityIngressRule_neg2:
Type: AWS::RDS::DBSecurityGroupIngress
Properties:
DBSecurityGroupName: !Ref DbSecurityByEC2SecurityGroupStandalone_neg2
CIDRIP: 0.0.0.0/0
# EC2 Security Group with inline IPv4 and IPv6 rules
DBEC2SecurityGroupInline_neg2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Inline IPv4 and IPv6 ingress"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: ::/0
# EC2 Security Group with standalone ingress rules
DBEC2SecurityGroupStandalone_neg2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Standalone IPv4 and IPv6 ingress"
VpcId: !Ref VPC
DBEC2SecurityGroupIngress_neg2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone_neg2
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
DBEC2SecurityGroupIngressIPv6_neg2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone_neg2
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
# RDS Instance referencing all security groups
DBInstance_neg2:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: false #set to false
DBName: !Ref DBName
Engine: MySQL
DBSecurityGroups:
- !Ref DbSecurityByEC2SecurityGroupInline_neg2
- !Ref DbSecurityByEC2SecurityGroupStandalone_neg2
VPCSecurityGroups:
- !Ref DBEC2SecurityGroupInline_neg2
- !Ref DBEC2SecurityGroupStandalone_neg2
Negative test num. 3 - yaml file
Resources:
# This sample is near identical to Positive1 except that the "!Ref" on the DBInstance are incorrect
DbSecurityByEC2SecurityGroupInline_neg3:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Legacy inline ingress"
DBSecurityGroupIngress:
- CIDRIP: 0.0.0.0/0
DbSecurityByEC2SecurityGroupStandalone_neg3:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Legacy standalone ingress"
DbSecurityIngressRule:
Type: AWS::RDS::DBSecurityGroupIngress
Properties:
DBSecurityGroupName: !Ref DbSecurityByEC2SecurityGroupStandalone_neg3
CIDRIP: 0.0.0.0/0
DBEC2SecurityGroupInline_neg3:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Inline IPv4 and IPv6 ingress"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: ::/0
DBEC2SecurityGroupStandalone_neg3:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Standalone IPv4 and IPv6 ingress"
VpcId: !Ref VPC
DBEC2SecurityGroupIngress_neg3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone_neg3
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
DBEC2SecurityGroupIngressIPv6_neg3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DBEC2SecurityGroupStandalone_neg3
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
DBInstance_neg3:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBName: !Ref DBName
Engine: MySQL
DBSecurityGroups:
- !Ref invalid_reference_1_neg3
- !Ref invalid_reference_2_neg3
VPCSecurityGroups:
- !Ref invalid_reference_3_neg3
- !Ref invalid_reference_4_neg3
Negative test num. 4 - yaml file
Resources:
DbSecurityByEC2SecurityGroup_neg4:
Type: AWS::RDS::DBSecurityGroup #legacy-inline
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
-
CIDRIP: 0.0.0.0/0
DBInstance:
Type: AWS::RDS::DBInstance
Properties: # Assumes it is not public since "DBSubnetGroupName" is set
DBName:
Ref: DBName
Engine: MySQL
DBSubnetGroupName: !Ref MyDBSubnetGroup
DBSecurityGroups:
- !Ref DbSecurityByEC2SecurityGroup_neg4
Negative test num. 5 - json file
{
"Resources": {
"DbSecurityByEC2SecurityGroupInline_neg5": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Legacy inline ingress",
"DBSecurityGroupIngress": [
{
"CIDRIP": "1.2.3.4/24"
}
]
}
},
"DbSecurityByEC2SecurityGroupStandalone_neg5": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Legacy standalone ingress"
}
},
"DbSecurityIngressRule_neg5": {
"Type": "AWS::RDS::DBSecurityGroupIngress",
"Properties": {
"DBSecurityGroupName": {
"Ref": "DbSecurityByEC2SecurityGroupStandalone_neg5"
},
"CIDRIP": "1.2.3.4/24"
}
},
"DBEC2SecurityGroupInline_neg5": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Inline IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "1.2.3.4/24"
},
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
}
]
}
},
"DBEC2SecurityGroupStandalone_neg5": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Standalone IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
}
}
},
"DBEC2SecurityGroupIngress_neg5": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone_neg5"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "1.2.3.4/24"
}
},
"DBEC2SecurityGroupIngressIPv6_neg5": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone_neg5"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
}
},
"DBInstance_neg5": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": true,
"DBName": {
"Ref": "DBName"
},
"Engine": "MySQL",
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroupInline_neg5"
},
{
"Ref": "DbSecurityByEC2SecurityGroupStandalone_neg5"
}
],
"VPCSecurityGroups": [
{
"Ref": "DBEC2SecurityGroupInline_neg5"
},
{
"Ref": "DBEC2SecurityGroupStandalone_neg5"
}
]
}
}
}
}
Negative test num. 6 - json file
{
"Resources": {
"DbSecurityByEC2SecurityGroupInline_neg6": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Legacy inline ingress",
"DBSecurityGroupIngress": [
{
"CIDRIP": "0.0.0.0/0"
}
]
}
},
"DbSecurityByEC2SecurityGroupStandalone_neg6": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Legacy standalone ingress"
}
},
"DbSecurityIngressRule_neg6": {
"Type": "AWS::RDS::DBSecurityGroupIngress",
"Properties": {
"DBSecurityGroupName": {
"Ref": "DbSecurityByEC2SecurityGroupStandalone_neg6"
},
"CIDRIP": "0.0.0.0/0"
}
},
"DBEC2SecurityGroupInline_neg6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Inline IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "::/0"
}
]
}
},
"DBEC2SecurityGroupStandalone_neg6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Standalone IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
}
}
},
"DBEC2SecurityGroupIngress_neg6": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone_neg6"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
},
"DBEC2SecurityGroupIngressIPv6_neg6": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone_neg6"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
},
"DBInstance_neg6": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": false,
"DBName": {
"Ref": "DBName"
},
"Engine": "MySQL",
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroupInline_neg6"
},
{
"Ref": "DbSecurityByEC2SecurityGroupStandalone_neg6"
}
],
"VPCSecurityGroups": [
{
"Ref": "DBEC2SecurityGroupInline_neg6"
},
{
"Ref": "DBEC2SecurityGroupStandalone_neg6"
}
]
}
}
}
}
Negative test num. 7 - json file
{
"Resources": {
"DbSecurityByEC2SecurityGroupInline_neg7": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Legacy inline ingress",
"DBSecurityGroupIngress": [
{
"CIDRIP": "0.0.0.0/0"
}
]
}
},
"DbSecurityByEC2SecurityGroupStandalone_neg7": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Legacy standalone ingress"
}
},
"DbSecurityIngressRule_neg7": {
"Type": "AWS::RDS::DBSecurityGroupIngress",
"Properties": {
"DBSecurityGroupName": {
"Ref": "DbSecurityByEC2SecurityGroupStandalone_neg7"
},
"CIDRIP": "0.0.0.0/0"
}
},
"DBEC2SecurityGroupInline_neg7": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Inline IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "::/0"
}
]
}
},
"DBEC2SecurityGroupStandalone_neg7": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Standalone IPv4 and IPv6 ingress",
"VpcId": {
"Ref": "VPC"
}
}
},
"DBEC2SecurityGroupIngress_neg7": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone_neg7"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
},
"DBEC2SecurityGroupIngressIPv6_neg7": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBEC2SecurityGroupStandalone_neg7"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
},
"DBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": true,
"DBName": {
"Ref": "DBName"
},
"Engine": "MySQL",
"DBSecurityGroups": [
{
"Ref": "invalid_reference_1_neg7"
},
{
"Ref": "invalid_reference_2_neg7"
}
],
"VPCSecurityGroups": [
{
"Ref": "invalid_reference_3_neg7"
},
{
"Ref": "invalid_reference_4_neg7"
}
]
}
}
}
}
Negative test num. 8 - json file
{
"Resources": {
"DbSecurityByEC2SecurityGroup_neg8": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"DBSecurityGroupIngress": [
{
"CIDRIP": "0.0.0.0/0"
}
]
}
},
"DBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName": {
"Ref": "DBName"
},
"Engine": "MySQL",
"DBSubnetGroupName": [
{
"Ref": "MyDBSubnetGroup"
}
],
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroup_neg8"
}
]
}
}
}
}
Negative test num. 9 - yaml file
Resources:
DbSecurityByEC2SecurityGroup_neg9:
Type: AWS::RDS::DBSecurityGroup #legacy-inline
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
-
CIDRIP: 0.0.0.0/0
DBInstance_neg5:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: "false" #quoted string support test
DBName:
Ref: DBName
Engine: MySQL
DBSecurityGroups:
- !Ref DbSecurityByEC2SecurityGroup_neg9