EC2 Instance Using Default Security Group

  • Query id: f1adc521-f79a-4d71-b55b-a68294687432
  • Query name: EC2 Instance Using Default Security Group
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • CWE: 732
  • URL: Github

Description

EC2 instances should not use default security group(s)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_instance" "positive1" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t3.micro"

  tags = {
    Name = "HelloWorld"
  }

  security_groups = [aws_security_group.default.id]
}
Positive test num. 2 - tf file
resource "aws_instance" "positive2" {
  ami = "ami-003634241a8fcdec0"

  instance_type = "t2.micro"

  vpc_security_group_ids = [aws_security_group.default.id]
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_instance" "negative1" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t3.micro"

  tags = {
    Name = "HelloWorld"
  }

  security_groups = [aws_security_group.sg.id]
}
Negative test num. 2 - tf file
resource "aws_instance" "negative2" {
  ami = "ami-003634241a8fcdec0"

  instance_type = "t2.micro"

  vpc_security_group_ids = [aws_security_group.sg.id]
}