Beta - Security Group Rule Set Accepts All Traffic

  • Query id: d135a36e-c474-452f-b891-76db1e6d1cd5
  • Query name: Beta - Security Group Rule Set Accepts All Traffic
  • Platform: Terraform
  • Severity: High
  • Category: Networking and Firewall
  • CWE: 285
  • URL: Github

Description

Security Group Rule Set accepts all traffic
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "tencentcloud_security_group" "sg" {
  name        = "tf-example"
  description = "Testing Rule Set Security"
}

resource "tencentcloud_security_group_rule_set" "base" {
  security_group_id = tencentcloud_security_group.sg.id

  ingress {
    action     = "ACCEPT"
    cidr_block = "0.0.0.0/0"
    protocol   = "ALL"
    port       = "ALL"
  }
}
Positive test num. 2 - tf file
resource "tencentcloud_security_group" "sg" {
  name        = "tf-example"
  description = "Testing Rule Set Security"
}

resource "tencentcloud_security_group_rule_set" "base" {
  security_group_id = tencentcloud_security_group.sg.id

  ingress {
    action     = "ACCEPT"
    cidr_block = "0.0.0.0/0"
  }
}
Positive test num. 3 - tf file
resource "tencentcloud_security_group" "sg" {
  name        = "tf-example"
  description = "Testing Rule Set Security"
}

resource "tencentcloud_security_group_rule_set" "base" {
  security_group_id = tencentcloud_security_group.sg.id

  ingress {
    action          = "ACCEPT"
    ipv6_cidr_block = "::/0"
    protocol        = "ALL"
    port            = "ALL"
  }
}

Positive test num. 4 - tf file
resource "tencentcloud_security_group" "sg" {
  name        = "tf-example"
  description = "Testing Rule Set Security"
}

resource "tencentcloud_security_group_rule_set" "base" {
  security_group_id = tencentcloud_security_group.sg.id

  ingress {
    action          = "ACCEPT"
    ipv6_cidr_block = "::/0"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "tencentcloud_security_group" "sg" {
  name        = "tf-example"
  description = "Testing Rule Set Security"
}

resource "tencentcloud_security_group_rule_set" "base" {
  security_group_id = tencentcloud_security_group.sg.id

  ingress {
    action      = "ACCEPT"
    cidr_block  = "10.0.0.0/22"
    protocol    = "TCP"
    port        = "80-90"
    description = "A:Allow Ips and 80-90"
  }

  egress {
    action      = "DROP"
    cidr_block  = "10.0.0.0/16"
    protocol    = "ICMP"
    description = "A:Block ping3"
  }
}
Negative test num. 2 - tf file
resource "tencentcloud_security_group" "sg" {
  name        = "tf-example"
  description = "Testing Rule Set Security"
}

resource "tencentcloud_security_group_rule_set" "base" {
  security_group_id = tencentcloud_security_group.sg.id
}