Default Security Groups With Unrestricted Traffic
- Query id: 8010e17a-00e9-4635-a692-90d6bcec68bd
- Query name: Default Security Groups With Unrestricted Traffic
- Platform: Ansible
- Severity: High
- Category: Networking and Firewall
- CWE: 285
- URL: Github
Description¶
Check if default security group does not restrict all inbound and outbound traffic.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: example ec2 group
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
aws_secret_key: SECRET
aws_access_key: ACCESS
rules:
- proto: all
# in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
# traffic on all ports is allowed, regardless of any ports you specify
from_port: 10050 # this value is ignored
to_port: 10050 # this value is ignored
cidr_ip:
- 0.0.0.0/0
- name: example2 ec2 group
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
aws_secret_key: SECRET
aws_access_key: ACCESS
rules_egress:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
group_name: example-other
# description to use if example-other needs to be created
group_desc: other example EC2 group
- name: example3 ec2 group
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
aws_secret_key: SECRET
aws_access_key: ACCESS
rules:
- proto: all
# in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
# traffic on all ports is allowed, regardless of any ports you specify
from_port: 10050 # this value is ignored
to_port: 10050 # this value is ignored
cidr_ipv6: ::/0
- name: example4 ec2 group
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
aws_secret_key: SECRET
aws_access_key: ACCESS
rules_egress:
- proto: tcp
from_port: 80
to_port: 80
cidr_ipv6: ::/0
group_name: example-other
# description to use if example-other needs to be created
group_desc: other example EC2 group
- name: example5 ec2 group
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
aws_secret_key: SECRET
aws_access_key: ACCESS
rules:
# 'ports' rule keyword was introduced in version 2.4. It accepts a single port value or a list of values including ranges (from_port-to_port).
- proto: tcp
ports: 22
group_name: example-vpn
rules_egress:
- proto: tcp
from_port: 80
to_port: 80
cidr_ipv6:
- ::/0
group_name: example-other
# description to use if example-other needs to be created
group_desc: other example EC2 group
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: example ec2 group
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
aws_secret_key: SECRET
aws_access_key: ACCESS
rules:
- proto: all
# in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
# traffic on all ports is allowed, regardless of any ports you specify
from_port: 10050 # this value is ignored
to_port: 10050 # this value is ignored
cidr_ip: 10.1.0.0/16
cidr_ipv6: 64:ff9b::/96
rules_egress:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 10.1.0.0/16
cidr_ipv6: 64:ff9b::/96
group_name: example-other
# description to use if example-other needs to be created
group_desc: other example EC2 group