DB Security Group Open To Large Scope

  • Query id: 0104165b-02d5-426f-abc9-91fb48189899
  • Query name: DB Security Group Open To Large Scope
  • Platform: CloudFormation
  • Severity: High
  • Category: Networking and Firewall
  • CWE: 668
  • URL: Github

Description

The IP address in a DB Security Group must not have more than 256 hosts.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  DBinstance1:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        -
          Ref: "DbSecurity"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurity:
    Type: AWS::RDS::DBSecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      DBSecurityGroupIngress:
        CIDRIP: 1.2.3.4/23
Positive test num. 2 - yaml file
Resources:
  DBinstance2:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        -
          Ref: "DbSecurityByEC2SecurityGroup1"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurityByEC2SecurityGroup1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      SecurityGroupIngress:
        CidrIp: 1.2.3.4/23
Positive test num. 3 - yaml file
Resources:
  DBinstance3:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        -
          Ref: "DbSecurityByEC2SecurityGroup2"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurityByEC2SecurityGroup2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      SecurityGroupIngress:
        CidrIpv6: 2001:db8:a::123/64

Positive test num. 4 - json file
{
  "Resources": {
    "DBinstance1": {
      "DeletionPolicy": "Snapshot",
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL",
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword",
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurity"
          }
        ],
        "AllocatedStorage": "5"
      }
    },
    "DbSecurity": {
      "Type": "AWS::RDS::DBSecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "DBSecurityGroupIngress": {
          "CIDRIP": "1.2.3.4/23"
        }
      }
    }
  }
}
Positive test num. 5 - json file
{
  "Resources": {
    "DBinstance2": {
      "DeletionPolicy": "Snapshot",
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurityByEC2SecurityGroup1"
          }
        ],
        "AllocatedStorage": "5",
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL",
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword"
      }
    },
    "DbSecurityByEC2SecurityGroup1": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "SecurityGroupIngress": {
          "CidrIp": "1.2.3.4/23"
        }
      }
    }
  }
}
Positive test num. 6 - json file
{
  "Resources": {
    "DBinstance3": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword",
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurityByEC2SecurityGroup2"
          }
        ],
        "AllocatedStorage": "5",
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL"
      },
      "DeletionPolicy": "Snapshot"
    },
    "DbSecurityByEC2SecurityGroup2": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "SecurityGroupIngress": {
          "CidrIpv6": "2001:db8:a::123/64"
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
  DBinstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        -
          Ref: "DbSecurityByEC2SecurityGroup"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurityByEC2SecurityGroup:
    Type: AWS::RDS::DBSecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      DBSecurityGroupIngress:
        CIDRIP: 1.2.3.4/28
Negative test num. 2 - json file
{
  "Resources": {
    "DBinstance": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword",
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurityByEC2SecurityGroup"
          }
        ],
        "AllocatedStorage": "5",
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL"
      },
      "DeletionPolicy": "Snapshot"
    },
    "DbSecurityByEC2SecurityGroup": {
      "Type": "AWS::RDS::DBSecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "DBSecurityGroupIngress": {
          "CIDRIP": "1.2.3.4/28"
        }
      }
    }
  }
}