EC2 Instance Using Default Security Group
- Query id: 08b81bb3-0985-4023-8602-b606ad81d279
- Query name: EC2 Instance Using Default Security Group
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
EC2 instances should not use default security group(s)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: "ami-79fd7eee"
KeyName: "testkey"
SecurityGroups:
- !Ref default
BlockDeviceMappings:
- DeviceName: "/dev/sdm"
Ebs:
VolumeType: "io1"
Iops: "200"
DeleteOnTermination: "false"
VolumeSize: "20"
- DeviceName: "/dev/sdk"
NoDevice: {}
Positive test num. 2 - json file
{
"Resources": {
"MyEC2Instance": {
"Properties": {
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sdm",
"Ebs": {
"DeleteOnTermination": "false",
"Iops": "200",
"VolumeSize": "20",
"VolumeType": "io1"
}
},
{
"DeviceName": "/dev/sdk",
"NoDevice": {}
}
],
"ImageId": "ami-79fd7eee",
"KeyName": "testkey",
"SecurityGroups": [
"default"
]
},
"Type": "AWS::EC2::Instance"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
MyEC2Instancee:
Type: AWS::EC2::Instance
Properties:
ImageId: "ami-79fd7eee"
KeyName: "testkey"
SecurityGroups:
- !Ref my_sg
BlockDeviceMappings:
- DeviceName: "/dev/sdm"
Ebs:
VolumeType: "io1"
Iops: "200"
DeleteOnTermination: "false"
VolumeSize: "20"
- DeviceName: "/dev/sdk"
NoDevice: {}
Negative test num. 2 - json file
{
"Resources": {
"MyEC2Instancee": {
"Properties": {
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sdm",
"Ebs": {
"DeleteOnTermination": "false",
"Iops": "200",
"VolumeSize": "20",
"VolumeType": "io1"
}
},
{
"DeviceName": "/dev/sdk",
"NoDevice": {}
}
],
"ImageId": "ami-79fd7eee",
"KeyName": "testkey",
"SecurityGroups": [
"my_sg"
]
},
"Type": "AWS::EC2::Instance"
}
}
}