Beta - Security Group Rule Set Accepts All Traffic
- Query id: d135a36e-c474-452f-b891-76db1e6d1cd5
- Query name: Beta - Security Group Rule Set Accepts All Traffic
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- CWE: 285
- URL: Github
Description¶
Security Group Rule Set accepts all traffic
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "tencentcloud_security_group" "sg" {
name = "tf-example"
description = "Testing Rule Set Security"
}
resource "tencentcloud_security_group_rule_set" "base" {
security_group_id = tencentcloud_security_group.sg.id
ingress {
action = "ACCEPT"
cidr_block = "0.0.0.0/0"
protocol = "ALL"
port = "ALL"
}
}
Positive test num. 2 - tf file
resource "tencentcloud_security_group" "sg" {
name = "tf-example"
description = "Testing Rule Set Security"
}
resource "tencentcloud_security_group_rule_set" "base" {
security_group_id = tencentcloud_security_group.sg.id
ingress {
action = "ACCEPT"
cidr_block = "0.0.0.0/0"
}
}
Positive test num. 3 - tf file
resource "tencentcloud_security_group" "sg" {
name = "tf-example"
description = "Testing Rule Set Security"
}
resource "tencentcloud_security_group_rule_set" "base" {
security_group_id = tencentcloud_security_group.sg.id
ingress {
action = "ACCEPT"
ipv6_cidr_block = "::/0"
protocol = "ALL"
port = "ALL"
}
}
Positive test num. 4 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "tencentcloud_security_group" "sg" {
name = "tf-example"
description = "Testing Rule Set Security"
}
resource "tencentcloud_security_group_rule_set" "base" {
security_group_id = tencentcloud_security_group.sg.id
ingress {
action = "ACCEPT"
cidr_block = "10.0.0.0/22"
protocol = "TCP"
port = "80-90"
description = "A:Allow Ips and 80-90"
}
egress {
action = "DROP"
cidr_block = "10.0.0.0/16"
protocol = "ICMP"
description = "A:Block ping3"
}
}