GameLift Fleet EC2 InboundPermissions With Port Range
- Query id: 43356255-495d-4148-ad8d-f6af5eac09dd
- Query name: GameLift Fleet EC2 InboundPermissions With Port Range
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 665
- URL: Github
Description¶
AWS GameLift Fleet EC2InboundPermissions should have a single port
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
FleetResource1:
Type: AWS::GameLift::Fleet
Properties:
BuildId: !Ref BuildResource
CertificateConfiguration:
CertificateType: DISABLED
Description: Description of my Game Fleet1
DesiredEc2Instances: 1
EC2InboundPermissions:
- FromPort: '1234'
ToPort: '134'
IpRange: 0.0.0.0/24
Protocol: TCP
- FromPort: 1356
ToPort: 1578
IpRange: 192.168.0.0/24
Protocol: UDP
FleetResource3:
Type: AWS::GameLift::Fleet
Properties:
BuildId: !Ref BuildResource
CertificateConfiguration:
CertificateType: DISABLED
Description: Description of my Game Fleet3
DesiredEc2Instances: 1
EC2InboundPermissions:
- FromPort: 1234
ToPort: '134'
IpRange: 0.0.0.0/24
Protocol: TCP
- FromPort: '1356'
ToPort: 1578
IpRange: 192.168.0.0/24
Protocol: UDP
Positive test num. 2 - json file
{
"Resources": {
"FleetResource1": {
"Type": "AWS::GameLift::Fleet",
"Properties": {
"EC2InboundPermissions": [
{
"FromPort": "1234",
"ToPort": "134",
"IpRange": "0.0.0.0/24",
"Protocol": "TCP"
},
{
"FromPort": 1356,
"ToPort": 1578,
"IpRange": "192.168.0.0/24",
"Protocol": "UDP"
}
],
"BuildId": "BuildResource",
"CertificateConfiguration": {
"CertificateType": "DISABLED"
},
"Description": "Description of my Game Fleet1",
"DesiredEc2Instances": 1
}
},
"FleetResource3": {
"Type": "AWS::GameLift::Fleet",
"Properties": {
"BuildId": "BuildResource",
"CertificateConfiguration": {
"CertificateType": "DISABLED"
},
"Description": "Description of my Game Fleet3",
"DesiredEc2Instances": 1,
"EC2InboundPermissions": [
{
"FromPort": 1234,
"ToPort": "134",
"IpRange": "0.0.0.0/24",
"Protocol": "TCP"
},
{
"FromPort": "1356",
"ToPort": 1578,
"IpRange": "192.168.0.0/24",
"Protocol": "UDP"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
FleetResource2:
Type: AWS::GameLift::Fleet
Properties:
BuildId: !Ref BuildResource
CertificateConfiguration:
CertificateType: DISABLED
Description: Description of my Game Fleet
DesiredEc2Instances: 1
EC2InboundPermissions:
- FromPort: '1234'
ToPort: '1234'
IpRange: 0.0.0.0/24
Protocol: TCP
- FromPort: '1356'
ToPort: '1356'
IpRange: 192.168.0.0/24
Protocol: UDP
Negative test num. 2 - json file
{
"Resources": {
"FleetResource2": {
"Type": "AWS::GameLift::Fleet",
"Properties": {
"CertificateConfiguration": {
"CertificateType": "DISABLED"
},
"Description": "Description of my Game Fleet",
"DesiredEc2Instances": 1,
"EC2InboundPermissions": [
{
"FromPort": "1234",
"ToPort": "1234",
"IpRange": "0.0.0.0/24",
"Protocol": "TCP"
},
{
"ToPort": "1356",
"IpRange": "192.168.0.0/24",
"Protocol": "UDP",
"FromPort": "1356"
}
],
"BuildId": "BuildResource"
}
}
}
}