DB Security Group Open To Large Scope

Query id: 0104165b-02d5-426f-abc9-91fb48189899
Query name: DB Security Group Open To Large Scope
Platform: CloudFormation
Severity: High
Category: Networking and Firewall
CWE: 668
URL: Github
Description¶

The IP address in a DB Security Group must not have more than 256 hosts.
Documentation
Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file
Positive test num. 2 - yaml file
Positive test num. 3 - yaml file
/span>
Resources: DBinstance1: Type: AWS::RDS::DBInstance Properties: DBSecurityGroups: - Ref: "DbSecurity" AllocatedStorage: "5" DBInstanceClass: "db.t3.small" Engine: "MySQL" MasterUsername: "YourName" MasterUserPassword: "YourPassword" DeletionPolicy: "Snapshot" DbSecurity: Type: AWS::RDS::DBSecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" class="w">      DBSecurityGroupIngress: CIDRIP: 1.2.3.4/23 /span>Resources: DBinstance2: Type: AWS::RDS::DBInstance Properties: DBSecurityGroups: - Ref: "DbSecurityByEC2SecurityGroup1" AllocatedStorage: "5" DBInstanceClass: "db.t3.small" Engine: "MySQL" MasterUsername: "YourName" MasterUserPassword: "YourPassword" DeletionPolicy: "Snapshot" DbSecurityByEC2SecurityGroup1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" class="w">      SecurityGroupIngress: CidrIp: 1.2.3.4/23 /span>Resources: DBinstance3: Type: AWS::RDS::DBInstance Properties: DBSecurityGroups: - Ref: "DbSecurityByEC2SecurityGroup2" AllocatedStorage: "5" DBInstanceClass: "db.t3.small" Engine: "MySQL" MasterUsername: "YourName" MasterUserPassword: "YourPassword" DeletionPolicy: "Snapshot" DbSecurityByEC2SecurityGroup2: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" class="w">      SecurityGroupIngress: CidrIpv6: 2001:db8:a::123/64
Positive test num. 4 - json file

{
  "Resources": {
    "DBinstance1": {
      "DeletionPolicy": "Snapshot",
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL",
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword",
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurity"
          }
        ],
        "AllocatedStorage": "5"
      }
    },
    "DbSecurity": {
      "Type": "AWS::RDS::DBSecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "DBSecurityGroupIngress": {
          "CIDRIP": "1.2.3.4/23"
        }
      }
    }
  }
}


Positive test num. 5 - json file

{
  "Resources": {
    "DBinstance2": {
      "DeletionPolicy": "Snapshot",
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurityByEC2SecurityGroup1"
          }
        ],
        "AllocatedStorage": "5",
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL",
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword"
      }
    },
    "DbSecurityByEC2SecurityGroup1": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "SecurityGroupIngress": {
          "CidrIp": "1.2.3.4/23"
        }
      }
    }
  }
}


Positive test num. 6 - json file

{
  "Resources": {
    "DBinstance3": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword",
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurityByEC2SecurityGroup2"
          }
        ],
        "AllocatedStorage": "5",
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL"
      },
      "DeletionPolicy": "Snapshot"
    },
    "DbSecurityByEC2SecurityGroup2": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "SecurityGroupIngress": {
          "CidrIpv6": "2001:db8:a::123/64"
        }
      }
    }
  }
}



Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file#this code is a correct code for which the query should not find any result
Resources:
  DBinstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        -
          Ref: "DbSecurityByEC2SecurityGroup"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurityByEC2SecurityGroup:
    Type: AWS::RDS::DBSecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      DBSecurityGroupIngress:
        CIDRIP: 1.2.3.4/28

Negative test num. 2 - json file{
  "Resources": {
    "DBinstance": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword",
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurityByEC2SecurityGroup"
          }
        ],
        "AllocatedStorage": "5",
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL"
      },
      "DeletionPolicy": "Snapshot"
    },
    "DbSecurityByEC2SecurityGroup": {
      "Type": "AWS::RDS::DBSecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "DBSecurityGroupIngress": {
          "CIDRIP": "1.2.3.4/28"
        }
      }
    }
  }
}