Security Group With Unrestricted Access To SSH
- Query id: 6e856af2-62d7-4ba2-adc1-73b62cef9cc1
- Query name: Security Group With Unrestricted Access To SSH
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: Ongoing
- URL: Github
Description¶
'SSH' (TCP:22) should not be public in AWS Security Group
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroups:
- !Ref InstanceSecurityGroup
KeyName: mykey
ImageId: ''
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Positive test num. 2 - json file
{
"Resources": {
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "",
"SecurityGroups": [
"InstanceSecurityGroup"
],
"KeyName": "mykey"
}
},
"InstanceSecurityGroup": {
"Properties": {
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"GroupDescription": "Allow http to client host",
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"ToPort": 22,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 22
}
]
},
"Type": "AWS::EC2::SecurityGroup"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroups:
- !Ref InstanceSecurityGroup
KeyName: mykey
ImageId: ''
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 127.0.0.1/32
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 127.0.0.1/33
Negative test num. 2 - json file
{
"Resources": {
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"FromPort": 80,
"ToPort": 80,
"CidrIp": "127.0.0.1/32",
"IpProtocol": "tcp"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "127.0.0.1/33"
}
]
}
},
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"SecurityGroups": [
"InstanceSecurityGroup"
],
"KeyName": "mykey",
"ImageId": ""
}
}
}
}