Security Group Ingress With All Protocols
- Query id: 1a427b25-2e9e-4298-9530-0499a55e736b
- Query name: Security Group Ingress With All Protocols
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: -1
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: -1
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
Positive test num. 2 - json file
{
"Resources": {
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": -1,
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
],
"GroupDescription": "Allow http to client host"
}
},
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"IpProtocol": "tcp",
"FromPort": 0
}
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"IpProtocol": -1,
"FromPort": 0,
"ToPort": 65535,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
Negative test num. 2 - json file
{
"Resources": {
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
],
"GroupDescription": "Allow http to client host",
"VpcId": {
"Ref": "myVPC"
}
}
},
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
}
}
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"ToPort": 65535,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"IpProtocol": "tcp",
"FromPort": 0
}
}
}
}