GameLift Fleet EC2 InboundPermissions With Port Range

  • Query id: 43356255-495d-4148-ad8d-f6af5eac09dd
  • Query name: GameLift Fleet EC2 InboundPermissions With Port Range
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: Ongoing
  • URL: Github

Description

AWS GameLift Fleet EC2InboundPermissions should have a single port
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  FleetResource1:
    Type: AWS::GameLift::Fleet
    Properties:
      BuildId: !Ref BuildResource
      CertificateConfiguration:
        CertificateType: DISABLED
      Description: Description of my Game Fleet1
      DesiredEc2Instances: 1
      EC2InboundPermissions:
        - FromPort: '1234'
          ToPort: '134'
          IpRange: 0.0.0.0/24
          Protocol: TCP
        - FromPort: 1356
          ToPort: 1578
          IpRange: 192.168.0.0/24
          Protocol: UDP
  FleetResource3:
    Type: AWS::GameLift::Fleet
    Properties:
      BuildId: !Ref BuildResource
      CertificateConfiguration:
        CertificateType: DISABLED
      Description: Description of my Game Fleet3
      DesiredEc2Instances: 1
      EC2InboundPermissions:
        - FromPort: 1234
          ToPort: '134'
          IpRange: 0.0.0.0/24
          Protocol: TCP
        - FromPort: '1356'
          ToPort: 1578
          IpRange: 192.168.0.0/24
          Protocol: UDP
Positive test num. 2 - json file
{
  "Resources": {
    "FleetResource1": {
      "Type": "AWS::GameLift::Fleet",
      "Properties": {
        "EC2InboundPermissions": [
          {
            "FromPort": "1234",
            "ToPort": "134",
            "IpRange": "0.0.0.0/24",
            "Protocol": "TCP"
          },
          {
            "FromPort": 1356,
            "ToPort": 1578,
            "IpRange": "192.168.0.0/24",
            "Protocol": "UDP"
          }
        ],
        "BuildId": "BuildResource",
        "CertificateConfiguration": {
          "CertificateType": "DISABLED"
        },
        "Description": "Description of my Game Fleet1",
        "DesiredEc2Instances": 1
      }
    },
    "FleetResource3": {
      "Type": "AWS::GameLift::Fleet",
      "Properties": {
        "BuildId": "BuildResource",
        "CertificateConfiguration": {
          "CertificateType": "DISABLED"
        },
        "Description": "Description of my Game Fleet3",
        "DesiredEc2Instances": 1,
        "EC2InboundPermissions": [
          {
            "FromPort": 1234,
            "ToPort": "134",
            "IpRange": "0.0.0.0/24",
            "Protocol": "TCP"
          },
          {
            "FromPort": "1356",
            "ToPort": 1578,
            "IpRange": "192.168.0.0/24",
            "Protocol": "UDP"
          }
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  FleetResource2:
    Type: AWS::GameLift::Fleet
    Properties:
      BuildId: !Ref BuildResource
      CertificateConfiguration:
        CertificateType: DISABLED
      Description: Description of my Game Fleet
      DesiredEc2Instances: 1
      EC2InboundPermissions:
        - FromPort: '1234'
          ToPort: '1234'
          IpRange: 0.0.0.0/24
          Protocol: TCP
        - FromPort: '1356'
          ToPort: '1356'
          IpRange: 192.168.0.0/24
          Protocol: UDP
Negative test num. 2 - json file
{
  "Resources": {
    "FleetResource2": {
      "Type": "AWS::GameLift::Fleet",
      "Properties": {
        "CertificateConfiguration": {
          "CertificateType": "DISABLED"
        },
        "Description": "Description of my Game Fleet",
        "DesiredEc2Instances": 1,
        "EC2InboundPermissions": [
          {
            "FromPort": "1234",
            "ToPort": "1234",
            "IpRange": "0.0.0.0/24",
            "Protocol": "TCP"
          },
          {
            "ToPort": "1356",
            "IpRange": "192.168.0.0/24",
            "Protocol": "UDP",
            "FromPort": "1356"
          }
        ],
        "BuildId": "BuildResource"
      }
    }
  }
}