Beta - CVM Instance Using Default Security Group
- Query id: 93bb2065-63ec-45a2-a466-f106b56f2e32
- Query name: Beta - CVM Instance Using Default Security Group
- Platform: Terraform
- Severity: Low
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
CVM instances should not use default security group(s)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "tencentcloud_security_group" "default" {
name = "tf-example"
description = "test"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = "ap-guangzhou-7"
image_id = "img-9qrfy1xt"
instance_type = "POSTPAID_BY_HOUR"
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "root"
project_id = 0
vpc_id = "vpc-axrsmmrv"
subnet_id = "subnet-861wd75e"
orderly_security_groups = [tencentcloud_security_group.default.id]
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Positive test num. 2 - tf file
resource "tencentcloud_security_group" "default" {
name = "tf-example"
description = "test"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = "ap-guangzhou-7"
image_id = "img-9qrfy1xt"
instance_type = "POSTPAID_BY_HOUR"
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "root"
project_id = 0
vpc_id = "vpc-axrsmmrv"
subnet_id = "subnet-861wd75e"
security_groups = [tencentcloud_security_group.default.id]
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "tencentcloud_security_group" "sg" {
name = "tf-example"
description = "test"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = "ap-guangzhou-7"
image_id = "img-9qrfy1xt"
instance_type = "POSTPAID_BY_HOUR"
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "root"
project_id = 0
vpc_id = "vpc-axrsmmrv"
subnet_id = "subnet-861wd75e"
orderly_security_groups = [
tencentcloud_security_group.sg.id
]
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Negative test num. 2 - tf file
resource "tencentcloud_security_group" "sg" {
name = "tf-example"
description = "test"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = "ap-guangzhou-7"
image_id = "img-9qrfy1xt"
instance_type = "POSTPAID_BY_HOUR"
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "root"
project_id = 0
vpc_id = "vpc-axrsmmrv"
subnet_id = "subnet-861wd75e"
security_groups = [
tencentcloud_security_group.sg.id
]
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}