Security Group Ingress Not Restricted
- Query id: ea6bc7a6-d696-4dcf-a788-17fa03c17c81
- Query name: Security Group Ingress Not Restricted
- Platform: Ansible
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- URL: Github
Description¶
AWS Security Group should restrict ingress access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: example ec2 group
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
rules:
- proto: -1
from_port: 0
to_port: 0
cidr_ip: 0.0.0.0/0
- proto: all
from_port: 0
to_port: 0
cidr_ip: 0.0.0.0/0
- proto: 12121
from_port: 0
to_port: 0
cidr_ip: 0.0.0.0/0
- name: example ec2 group v2
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
rules:
- proto: -1
from_port: 0
to_port: 0
cidr_ipv6: ::/0
- proto: all
from_port: 0
to_port: 0
cidr_ipv6: ::/0
- proto: 121212
from_port: 0
to_port: 0
cidr_ipv6: ::/0
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: example ec2 group v3
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 10.0.0.0/8
- name: example ec2 group v4
amazon.aws.ec2_group:
name: example
description: an example EC2 group
vpc_id: 12345
region: eu-west-1
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ipv6: 2001:DB8:8086:6502::/32