EC2 Sensitive Port Is Publicly Exposed
- Query id: 494b03d3-bf40-4464-8524-7c56ad0700ed
- Query name: EC2 Sensitive Port Is Publicly Exposed
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- CWE: Ongoing
- URL: Github
Description¶
The EC2 instance has a sensitive port connection exposed to the entire network
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
UnsafeSecGroup01:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and redis
VpcId: my-vpc
SecurityGroupIngress:
- FromPort: 8080
ToPort: 8080
CidrIp: 127.0.0.1/32
IpProtocol: tcp
- IpProtocol: tcp
FromPort: 6379
ToPort: 6379
CidrIp: 10.0.0.1/0
SecurityGroupEgress:
- FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
IpProtocol: tcp
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-79fd7eee
InstanceType: t3.medium
SecurityGroups:
- UnsafeSecGroup01
KeyName: my-new-rsa-key
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
UnsafeSecGroup02:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and mysql
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 127.0.0.1/32
- ToPort: 1434
CidrIp: 10.0.0.1/0
IpProtocol: tcp
FromPort: 1433
- IpProtocol: tcp
FromPort: 150
ToPort: 180
CidrIp: 10.0.0.1/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
EC2Instance02:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.medium
SecurityGroups:
- UnsafeSecGroup02
KeyName: my-new-rsa-key
ImageId: ami-79fd7eee
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
UnsafeSecGroup03:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
GroupDescription: Allow http and hadoop
VpcId: my-vpc
SecurityGroupIngress:
- ToPort: 80
CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 80
- ToPort: 9000
CidrIp: 10.0.0.1/0
IpProtocol: tcp
FromPort: 9000
EC2Instance03:
Type: AWS::EC2::Instance
Properties:
SecurityGroups:
- UnsafeSecGroup03
KeyName: my-new-rsa-key
ImageId: ami-79fd7eee
InstanceType: t3.medium
Positive test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
UnsafeSecGroup04:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
GroupDescription: Allow LDAP and SNMP
VpcId: my-vpc
SecurityGroupIngress:
- ToPort: 389
FromPort: 389
IpProtocol: all
CidrIp: 10.0.0.0/0
- ToPort: 150
FromPort: 180
IpProtocol: udp
CidrIp: 10.0.0.1/0
- ToPort: 53
FromPort: 53
IpProtocol: "-1"
CidrIp: 10.0.0.1/0
EC2Instance03:
Type: AWS::EC2::Instance
Properties:
SecurityGroups:
- UnsafeSecGroup04
KeyName: my-new-rsa-key
ImageId: ami-79fd7eee
InstanceType: t3.medium
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"UnsafeSecGroup01": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupEgress": [
{
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
],
"GroupDescription": "Allow http and redis",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"FromPort": 8080,
"ToPort": 8080,
"CidrIp": "127.0.0.1/32",
"IpProtocol": "tcp"
},
{
"IpProtocol": "tcp",
"FromPort": 6379,
"ToPort": 6379,
"CidrIp": "10.0.0.1/0"
}
]
}
},
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.medium",
"SecurityGroups": [
"UnsafeSecGroup01"
],
"KeyName": "my-new-rsa-key"
}
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"UnsafeSecGroup02": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http and mysql",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "127.0.0.1/32"
},
{
"CidrIp": "10.0.0.1/0",
"IpProtocol": "tcp",
"FromPort": 1433,
"ToPort": 1434
},
{
"IpProtocol": "tcp",
"FromPort": 150,
"ToPort": 180,
"CidrIp": "10.0.0.1/0"
}
],
"SecurityGroupEgress": [
{
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
]
}
},
"EC2Instance02": {
"Type": "AWS::EC2::Instance",
"Properties": {
"SecurityGroups": [
"UnsafeSecGroup02"
],
"KeyName": "my-new-rsa-key",
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.medium"
}
}
}
}
Positive test num. 7 - json file
{
"Resources": {
"UnsafeSecGroup03": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22
}
],
"GroupDescription": "Allow http and hadoop",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
},
{
"ToPort": 9000,
"CidrIp": "10.0.0.1/0",
"IpProtocol": "tcp",
"FromPort": 9000
}
]
}
},
"EC2Instance03": {
"Type": "AWS::EC2::Instance",
"Properties": {
"SecurityGroups": [
"UnsafeSecGroup03"
],
"KeyName": "my-new-rsa-key",
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.medium"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z"
}
Positive test num. 8 - json file
{
"Resources": {
"UnsafeSecGroup04": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22
}
],
"GroupDescription": "Allow LDAP and SNMP",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"CidrIp": "10.0.0.0/0",
"ToPort": 389,
"FromPort": 389,
"IpProtocol": "all"
},
{
"FromPort": 180,
"IpProtocol": "udp",
"CidrIp": "10.0.0.1/0",
"ToPort": 150
},
{
"IpProtocol": "-1",
"CidrIp": "10.0.0.1/0",
"ToPort": 53,
"FromPort": 53
}
]
}
},
"EC2Instance03": {
"Type": "AWS::EC2::Instance",
"Properties": {
"SecurityGroups": [
"UnsafeSecGroup04"
],
"KeyName": "my-new-rsa-key",
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.medium"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
Resources:
SafeSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 127.0.0.1/32
GroupDescription: Allow http and ssh
VpcId: my-vpc
SecurityGroupIngress:
- FromPort: 80
ToPort: 80
CidrIp: 127.0.0.1/32
IpProtocol: tcp
- ToPort: 77
CidrIp: 127.0.0.1/32
IpProtocol: all
FromPort: 77
MyNegativeEC2Instance:
Type: AWS::EC2::Instance
Properties:
SecurityGroups:
- SafeSecGroup
KeyName: my-new-rsa-key
ImageId: ami-79fd7eee
InstanceType: t3.medium
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"SafeSecGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http and ssh",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"FromPort": 80,
"ToPort": 80,
"CidrIp": "127.0.0.1/32",
"IpProtocol": "tcp"
},
{
"ToPort": 77,
"CidrIp": "127.0.0.1/32",
"IpProtocol": "all",
"FromPort": 77
}
],
"SecurityGroupEgress": [
{
"FromPort": 22,
"ToPort": 22,
"CidrIp": "127.0.0.1/32",
"IpProtocol": "tcp"
}
]
}
},
"MyNegativeEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"SecurityGroups": [
"SafeSecGroup"
],
"KeyName": "my-new-rsa-key",
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.medium"
}
}
}
}