HTTP Port Open To Internet

Query id: ddfc4eaa-af23-409f-b96c-bf5c45dc4daa
Query name: HTTP Port Open To Internet
Platform: CloudFormation
Severity: Medium
Category: Networking and Firewall
CWE: 668
URL: Github

Description¶

The HTTP port is open to the internet in a Security Group
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

Positive test num. 2 - json file

n>

Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - IpProtocol: tcp class="hll">          FromPort: 80 class="hll">          ToPort: 80 CidrIp: 0.0.0.0/0 n>{ "Resources": { "InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow http to client host", "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", class="hll">            "FromPort": 80, class="hll">            "ToPort": 80, "CidrIp": "0.0.0.0/0" } ] } } } class="p">}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileResources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http to client host
        VpcId:
          Ref: myVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 192.168.0.0/16

Negative test num. 2 - json file{
  "Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http to client host",
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "192.168.0.0/16"
          }
        ]
      }
    }
  }
}