EC2 Group Has Public Interface

• Query id: 5330b503-3319-44ff-9b1c-00ee873f728a
• Query name: EC2 Group Has Public Interface
• Platform: Ansible
• Severity: High
• Category: Insecure Configurations
• CWE: 732
• URL: Github

Description

The CIDR IP should not be a public interface
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: create minimal aurora instance in default VPC and default subnet group
  community.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: "{{ password }}"
    username: "{{ username }}"
    cluster_id: ansible-test-cluster
    db_security_groups: ["example"]
- name: example ec2 group
  ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1a
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: example ec2 group2
  ec2_group1:
    name: example1
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1a
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
    - proto: tcp
      from_port: 80
      to_port: 80
      cidr_ip: 10.1.1.1/32