DB Security Group Open To Large Scope
- Query id: 0104165b-02d5-426f-abc9-91fb48189899
- Query name: DB Security Group Open To Large Scope
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- URL: Github
Description¶
The IP address in a DB Security Group must not have more than 256 hosts.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
DBinstance1:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
-
Ref: "DbSecurity"
AllocatedStorage: "5"
DBInstanceClass: "db.t3.small"
Engine: "MySQL"
MasterUsername: "YourName"
MasterUserPassword: "YourPassword"
DeletionPolicy: "Snapshot"
DbSecurity:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
CIDRIP: 1.2.3.4/23
Positive test num. 2 - yaml file
Resources:
DBinstance2:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
-
Ref: "DbSecurityByEC2SecurityGroup1"
AllocatedStorage: "5"
DBInstanceClass: "db.t3.small"
Engine: "MySQL"
MasterUsername: "YourName"
MasterUserPassword: "YourPassword"
DeletionPolicy: "Snapshot"
DbSecurityByEC2SecurityGroup1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
SecurityGroupIngress:
CidrIp: 1.2.3.4/23
Positive test num. 3 - yaml file
Resources:
DBinstance3:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
-
Ref: "DbSecurityByEC2SecurityGroup2"
AllocatedStorage: "5"
DBInstanceClass: "db.t3.small"
Engine: "MySQL"
MasterUsername: "YourName"
MasterUserPassword: "YourPassword"
DeletionPolicy: "Snapshot"
DbSecurityByEC2SecurityGroup2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
SecurityGroupIngress:
CidrIpv6: 2001:db8:a::123/64
Positive test num. 4 - json file
{
"Resources": {
"DBinstance1": {
"DeletionPolicy": "Snapshot",
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceClass": "db.t3.small",
"Engine": "MySQL",
"MasterUsername": "YourName",
"MasterUserPassword": "YourPassword",
"DBSecurityGroups": [
{
"Ref": "DbSecurity"
}
],
"AllocatedStorage": "5"
}
},
"DbSecurity": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"DBSecurityGroupIngress": {
"CIDRIP": "1.2.3.4/23"
}
}
}
}
}
Positive test num. 5 - json file
{
"Resources": {
"DBinstance2": {
"DeletionPolicy": "Snapshot",
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroup1"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t3.small",
"Engine": "MySQL",
"MasterUsername": "YourName",
"MasterUserPassword": "YourPassword"
}
},
"DbSecurityByEC2SecurityGroup1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"SecurityGroupIngress": {
"CidrIp": "1.2.3.4/23"
}
}
}
}
}
Positive test num. 6 - json file
{
"Resources": {
"DBinstance3": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"MasterUsername": "YourName",
"MasterUserPassword": "YourPassword",
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroup2"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t3.small",
"Engine": "MySQL"
},
"DeletionPolicy": "Snapshot"
},
"DbSecurityByEC2SecurityGroup2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"SecurityGroupIngress": {
"CidrIpv6": "2001:db8:a::123/64"
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
DBinstance:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
-
Ref: "DbSecurityByEC2SecurityGroup"
AllocatedStorage: "5"
DBInstanceClass: "db.t3.small"
Engine: "MySQL"
MasterUsername: "YourName"
MasterUserPassword: "YourPassword"
DeletionPolicy: "Snapshot"
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
CIDRIP: 1.2.3.4/28
Negative test num. 2 - json file
{
"Resources": {
"DBinstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"MasterUsername": "YourName",
"MasterUserPassword": "YourPassword",
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroup"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t3.small",
"Engine": "MySQL"
},
"DeletionPolicy": "Snapshot"
},
"DbSecurityByEC2SecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"DBSecurityGroupIngress": {
"CIDRIP": "1.2.3.4/28"
}
}
}
}
}