Default Security Groups With Unrestricted Traffic

Query id: ea33fcf7-394b-4d11-a228-985c5d08f205
Query name: Default Security Groups With Unrestricted Traffic
Platform: CloudFormation
Severity: High
Category: Networking and Firewall
CWE: 200
Risk score: 7.5
URL: Github
Description¶

Check if default security group does not restrict all inbound and outbound traffic.
Documentation
Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file
Positive test num. 2 - yaml file
Positive test num. 3 - json file
/span>
Resources: InstanceSecurityGroup_ingress:  # inline ingress Type: 'AWS::EC2::SecurityGroup' class="w">    Properties: GroupName: default GroupDescription: Enable SSH access via port 22 SecurityGroupIngress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: 0.0.0.0/0 InstanceSecurityGroup_egress: # inline egress Type: 'AWS::EC2::SecurityGroup' class="w">    Properties: GroupName: default GroupDescription: Enable SSH access via port 22 SecurityGroupEgress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: 0.0.0.0/0 /span>Resources: InstanceSecurityGroup_default: # ref Type: 'AWS::EC2::SecurityGroup' Properties: GroupName: default GroupDescription: Enable SSH access via port 22 InstanceSecurityGroupIngress: Type: 'AWS::EC2::SecurityGroupIngress'  # standalone ingress Properties: class="w">      GroupId: !Ref InstanceSecurityGroup_default # ref IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 InstanceSecurityGroupEgress: Type: 'AWS::EC2::SecurityGroupEgress' # standalone egress Properties: class="w">      GroupId: !Ref InstanceSecurityGroup_default # ref IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 /span>{ "Resources": { "InstanceSecurityGroup_ingress": { "Type": "AWS::EC2::SecurityGroup", class="w">      "Properties": { "GroupName": "default", "GroupDescription": "Enable SSH access via port 22", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": "0.0.0.0/0" } ] } }, "InstanceSecurityGroup_egress": { "Type": "AWS::EC2::SecurityGroup", class="w">      "Properties": { "GroupName": "default", "GroupDescription": "Enable SSH access via port 22", "SecurityGroupEgress": [ { "IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": "0.0.0.0/0" } ] } } } }
Positive test num. 4 - json file

{
  "Resources": {
    "InstanceSecurityGroup_default": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupName": "default",
        "GroupDescription": "Enable SSH access via port 22"
      }
    },
    "InstanceSecurityGroupIngress": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
        "GroupId": {
          "Ref": "InstanceSecurityGroup_default"
        },
        "IpProtocol": "tcp",
        "FromPort": 22,
        "ToPort": 22,
        "CidrIp": "0.0.0.0/0"
      }
    },
    "InstanceSecurityGroupEgress": {
      "Type": "AWS::EC2::SecurityGroupEgress",
      "Properties": {
        "GroupId": {
          "Ref": "InstanceSecurityGroup_default"
        },
        "IpProtocol": "tcp",
        "FromPort": 22,
        "ToPort": 22,
        "CidrIp": "0.0.0.0/0"
      }
    }
  }
}



Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileResources:
  InstanceSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupName: default
      GroupDescription: Enable SSH access via port 22

Negative test num. 2 - yaml fileResources:
  InstanceSecurityGroup_not_named_default:  # def
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupName: not_default  # name is not "default"
      GroupDescription: Enable SSH access via port 22
      SecurityGroupIngress: # inline ingress
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress: # inline egress
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp: 0.0.0.0/0

  InstanceSecurityGroupIngress:
    Type: 'AWS::EC2::SecurityGroupIngress'  # standalone ingress
    Properties:
      GroupId: !Ref InstanceSecurityGroup_not_named_default # def
      IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      CidrIp: 0.0.0.0/0

  InstanceSecurityGroupEgress:
    Type: 'AWS::EC2::SecurityGroupEgress' # standalone egress
    Properties:
      GroupId: !Ref InstanceSecurityGroup_not_named_default # def
      IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      CidrIp: 0.0.0.0/0

Negative test num. 3 - json file{
  "Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupName": "default",
        "GroupDescription": "Enable SSH access via port 22"
      }
    }
  }
}

Negative test num. 4 - json file

{
  "Resources": {
    "InstanceSecurityGroup_not_named_default": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupName": "not_default",
        "GroupDescription": "Enable SSH access via port 22",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": "22",
            "ToPort": "22",
            "CidrIp": "0.0.0.0/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": "22",
            "ToPort": "22",
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    },
    "InstanceSecurityGroupIngress": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
        "GroupId": {
          "Ref": "InstanceSecurityGroup_not_named_default"
        },
        "IpProtocol": "tcp",
        "FromPort": 22,
        "ToPort": 22,
        "CidrIp": "0.0.0.0/0"
      }
    },
    "InstanceSecurityGroupEgress": {
      "Type": "AWS::EC2::SecurityGroupEgress",
      "Properties": {
        "GroupId": {
          "Ref": "InstanceSecurityGroup_not_named_default"
        },
        "IpProtocol": "tcp",
        "FromPort": 22,
        "ToPort": 22,
        "CidrIp": "0.0.0.0/0"
      }
    }
  }
}