Default Security Groups With Unrestricted Traffic

  • Query id: 8010e17a-00e9-4635-a692-90d6bcec68bd
  • Query name: Default Security Groups With Unrestricted Traffic
  • Platform: Ansible
  • Severity: High
  • Category: Networking and Firewall
  • CWE: 285
  • URL: Github

Description

Check if default security group does not restrict all inbound and outbound traffic.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: example ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
      - proto: all
        # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
        # traffic on all ports is allowed, regardless of any ports you specify
        from_port: 10050 # this value is ignored
        to_port: 10050 # this value is ignored
        cidr_ip:
          - 0.0.0.0/0
- name: example2 ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules_egress:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
        group_name: example-other
        # description to use if example-other needs to be created
        group_desc: other example EC2 group
- name: example3 ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
      - proto: all
        # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
        # traffic on all ports is allowed, regardless of any ports you specify
        from_port: 10050 # this value is ignored
        to_port: 10050 # this value is ignored
        cidr_ipv6: ::/0
- name: example4 ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules_egress:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ipv6: ::/0
        group_name: example-other
        # description to use if example-other needs to be created
        group_desc: other example EC2 group
- name: example5 ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
      # 'ports' rule keyword was introduced in version 2.4. It accepts a single port value or a list of values including ranges (from_port-to_port).
      - proto: tcp
        ports: 22
        group_name: example-vpn
    rules_egress:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ipv6:
          - ::/0
        group_name: example-other
        # description to use if example-other needs to be created
        group_desc: other example EC2 group

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: example ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
    - proto: all
        # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
        # traffic on all ports is allowed, regardless of any ports you specify
      from_port: 10050   # this value is ignored
      to_port: 10050   # this value is ignored
      cidr_ip: 10.1.0.0/16
      cidr_ipv6: 64:ff9b::/96
    rules_egress:
    - proto: tcp
      from_port: 80
      to_port: 80
      cidr_ip: 10.1.0.0/16
      cidr_ipv6: 64:ff9b::/96
      group_name: example-other
        # description to use if example-other needs to be created
      group_desc: other example EC2 group