GameLift Fleet EC2 InboundPermissions With Port Range

Query id: 43356255-495d-4148-ad8d-f6af5eac09dd
Query name: GameLift Fleet EC2 InboundPermissions With Port Range
Platform: CloudFormation
Severity: Medium
Category: Networking and Firewall
CWE: 665
URL: Github

Description¶

AWS GameLift Fleet EC2InboundPermissions should have a single port
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

Positive test num. 2 - json file

/span>

Resources: FleetResource1: Type: AWS::GameLift::Fleet Properties: BuildId: !Ref BuildResource CertificateConfiguration: CertificateType: DISABLED Description: Description of my Game Fleet1 DesiredEc2Instances: 1 class="w">      EC2InboundPermissions: - FromPort: '1234' ToPort: '134' IpRange: 0.0.0.0/24 Protocol: TCP - FromPort: 1356 ToPort: 1578 IpRange: 192.168.0.0/24 Protocol: UDP FleetResource3: Type: AWS::GameLift::Fleet Properties: BuildId: !Ref BuildResource CertificateConfiguration: CertificateType: DISABLED Description: Description of my Game Fleet3 DesiredEc2Instances: 1 class="w">      EC2InboundPermissions: - FromPort: 1234 ToPort: '134' IpRange: 0.0.0.0/24 Protocol: TCP - FromPort: '1356' ToPort: 1578 IpRange: 192.168.0.0/24 Protocol: UDP /span>{ "Resources": { "FleetResource1": { "Type": "AWS::GameLift::Fleet", "Properties": { class="w">        "EC2InboundPermissions": [ { "FromPort": "1234", "ToPort": "134", "IpRange": "0.0.0.0/24", "Protocol": "TCP" }, { "FromPort": 1356, "ToPort": 1578, "IpRange": "192.168.0.0/24", "Protocol": "UDP" } ], "BuildId": "BuildResource", "CertificateConfiguration": { "CertificateType": "DISABLED" }, "Description": "Description of my Game Fleet1", "DesiredEc2Instances": 1 } }, "FleetResource3": { "Type": "AWS::GameLift::Fleet", "Properties": { "BuildId": "BuildResource", "CertificateConfiguration": { "CertificateType": "DISABLED" }, "Description": "Description of my Game Fleet3", "DesiredEc2Instances": 1, class="w">        "EC2InboundPermissions": [ { "FromPort": 1234, "ToPort": "134", "IpRange": "0.0.0.0/24", "Protocol": "TCP" }, { "FromPort": "1356", "ToPort": 1578, "IpRange": "192.168.0.0/24", "Protocol": "UDP" } ] } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileResources:
  FleetResource2:
    Type: AWS::GameLift::Fleet
    Properties:
      BuildId: !Ref BuildResource
      CertificateConfiguration:
        CertificateType: DISABLED
      Description: Description of my Game Fleet
      DesiredEc2Instances: 1
      EC2InboundPermissions:
        - FromPort: '1234'
          ToPort: '1234'
          IpRange: 0.0.0.0/24
          Protocol: TCP
        - FromPort: '1356'
          ToPort: '1356'
          IpRange: 192.168.0.0/24
          Protocol: UDP

Negative test num. 2 - json file{
  "Resources": {
    "FleetResource2": {
      "Type": "AWS::GameLift::Fleet",
      "Properties": {
        "CertificateConfiguration": {
          "CertificateType": "DISABLED"
        },
        "Description": "Description of my Game Fleet",
        "DesiredEc2Instances": 1,
        "EC2InboundPermissions": [
          {
            "FromPort": "1234",
            "ToPort": "1234",
            "IpRange": "0.0.0.0/24",
            "Protocol": "TCP"
          },
          {
            "ToPort": "1356",
            "IpRange": "192.168.0.0/24",
            "Protocol": "UDP",
            "FromPort": "1356"
          }
        ],
        "BuildId": "BuildResource"
      }
    }
  }
}