EC2 Sensitive Port Is Publicly Exposed
- Query id: 494b03d3-bf40-4464-8524-7c56ad0700ed
- Query name: EC2 Sensitive Port Is Publicly Exposed
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- Risk score: 7.7
- URL: Github
Description¶
The EC2 instance has a sensitive port connection exposed to the entire network
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-79fd7eee
InstanceType: t3.medium
SecurityGroupIds:
- !Ref Positive1IPv4_1
- !Ref Positive1IPv4_2
- !Ref Positive1ArrayTestIPv4
- !Ref Positive1IPv6_1
- !Ref Positive1IPv6_2
- !Ref Positive1ArrayTestIPv6
KeyName: my-new-rsa-key
Positive1IPv4_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "All ports exposed on all protocols"
SecurityGroupIngress:
- IpProtocol: "17"
FromPort: 53
ToPort: 53
CidrIp: "10.0.0.0/0"
Positive1IPv4_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Port 80 on TCP exposed"
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 80
ToPort: 80
CidrIp: "192.168.0.0/0"
Positive1ArrayTestIPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Ports 53 and 137 exposed on UDP"
SecurityGroupIngress:
- IpProtocol: "udp"
FromPort: 53
ToPort: 53
CidrIp: "172.16.0.0/0"
- IpProtocol: "6"
FromPort: 110
ToPort: 110
CidrIp: "10.68.0.0" # not exposed
- IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIp: "172.16.0.0/0"
# IPv6 Rules
Positive1IPv6_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "All ports exposed on all protocols"
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
Positive1IPv6_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Port 22 exposed on TCP"
SecurityGroupIngress:
- IpProtocol: "6"
FromPort: 22
ToPort: 22
CidrIpv6: "fd12:3456:789a::1/0"
Positive1ArrayTestIPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Ports 53 and 137 exposed on UDP"
SecurityGroupIngress:
- IpProtocol: "17"
FromPort: 53
ToPort: 53
CidrIpv6: "fd00:abcd:1234::42/0"
- IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIpv6: "fd00:abcd:1234::42/0"
Positive test num. 2 - yaml file
Resources:
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-79fd7eee
InstanceType: t3.medium
SecurityGroupIds:
- !Ref DualStackSecurityGroup
KeyName: my-new-rsa-key
DualStackSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for IPv4 and IPv6 ingress rules"
VpcId: !Ref MyVPC
# IPv4 Rules
IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "6"
FromPort: 22
ToPort: 22
CidrIp: "10.0.0.0/0"
IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIp: "192.168.0.0/0"
IPv4Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "udp"
FromPort: 53
ToPort: 53
CidrIp: "172.16.0.0/0"
IPv4Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIp: "172.16.0.0/0"
# IPv6 Rules
IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "6"
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
IPv6Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIpv6: "fd12:3456:789a::1/0"
IPv6Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "udp"
FromPort: 53
ToPort: 53
CidrIpv6: "fd00:abcd:1234::42/0"
IPv6Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref DualStackSecurityGroup
IpProtocol: "udp"
FromPort: 137
ToPort: 137
CidrIpv6: "fd00:abcd:1234::42/0"
Positive test num. 3 - json file
{
"Resources": {
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.medium",
"SecurityGroupIds": [
{ "Ref": "Positive1IPv4_1" },
{ "Ref": "Positive1IPv4_2" },
{ "Ref": "Positive1ArrayTestIPv4" },
{ "Ref": "Positive1IPv6_1" },
{ "Ref": "Positive1IPv6_2" },
{ "Ref": "Positive1ArrayTestIPv6" }
],
"KeyName": "my-new-rsa-key"
}
},
"Positive1IPv4_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "All ports exposed on all protocols",
"SecurityGroupIngress": [
{
"IpProtocol": "17",
"FromPort": 53,
"ToPort": 53,
"CidrIp": "10.0.0.0/0"
}
]
}
},
"Positive1IPv4_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Port 80 on TCP exposed",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "192.168.0.0/0"
}
]
}
},
"Positive1ArrayTestIPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Ports 53 and 137 exposed on UDP",
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 53,
"ToPort": 53,
"CidrIp": "172.16.0.0/0"
},
{
"IpProtocol": "6",
"FromPort": 110,
"ToPort": 110,
"CidrIp": "10.68.0.0"
},
{
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "172.16.0.0/0"
}
]
}
},
"Positive1IPv6_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "All ports exposed on all protocols",
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
}
]
}
},
"Positive1IPv6_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Port 22 exposed on TCP",
"SecurityGroupIngress": [
{
"IpProtocol": "6",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd12:3456:789a::1/0"
}
]
}
},
"Positive1ArrayTestIPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Ports 53 and 137 exposed on UDP",
"SecurityGroupIngress": [
{
"IpProtocol": "17",
"FromPort": 53,
"ToPort": 53,
"CidrIpv6": "fd00:abcd:1234::42/0"
},
{
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
]
}
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.medium",
"SecurityGroupIds": [
{ "Ref": "DualStackSecurityGroup" }
],
"KeyName": "my-new-rsa-key"
}
},
"DualStackSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for IPv4 and IPv6 ingress rules",
"VpcId": { "Ref": "MyVPC" }
}
},
"IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "6",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "10.0.0.0/0"
}
},
"IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "192.168.0.0/0"
}
},
"IPv4Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "udp",
"FromPort": 53,
"ToPort": 53,
"CidrIp": "172.16.0.0/0"
}
},
"IPv4Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIp": "172.16.0.0/0"
}
},
"IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "6",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
}
},
"IPv6Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd12:3456:789a::1/0"
}
},
"IPv6Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "udp",
"FromPort": 53,
"ToPort": 53,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
},
"IPv6Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "DualStackSecurityGroup" },
"IpProtocol": "udp",
"FromPort": 137,
"ToPort": 137,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-79fd7eee
InstanceType: t3.medium
SecurityGroupIds:
- !Ref Negative1IPv4_1
- !Ref Negative1IPv4_2
- !Ref Negative1ArrayTestIPv4
- !Ref Negative1IPv6_1
- !Ref Negative1IPv6_2
- !Ref Negative1ArrayTestIPv6
KeyName: my-new-rsa-key
# Ipv4 Rules
Negative1IPv4_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Incorrect protocol: ICMP"
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "icmp"
FromPort: 22
ToPort: 22
CidrIp: "10.0.0.0/0"
Negative1IPv4_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Unknown port: port 5000"
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 5000
ToPort: 5000
CidrIp: "192.168.0.0/0"
Negative1ArrayTestIPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Mixed incorrect CIDR and 'All incorrect'"
VpcId: !Ref MyVPC
SecurityGroupIngress:
# incorrect cidr (not exposed)
- IpProtocol: "udp"
FromPort: 53
ToPort: 53
CidrIp: "8.8.0.0/16"
# all fields "incorrect"
- IpProtocol: "icmp"
FromPort: 5000
ToPort: 5000
CidrIp: "10.68.0.0/14"
# IPv6 Rules
Negative1IPv6_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Incorrect protocol: ICMPV6"
SecurityGroupIngress:
- IpProtocol: "58" # protocol number 58 is "icmpv6" = incorrect protocol
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
Negative1IPv6_2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Unknown port: port 5000"
SecurityGroupIngress:
- IpProtocol: "6"
FromPort: 5000 # unknown port
ToPort: 5000
CidrIpv6: "fd12:3456:789a::1/0"
Negative1ArrayTestIPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Mixed incorrect CIDR and 'All incorrect'"
SecurityGroupIngress:
- IpProtocol: "udp"
FromPort: 53
ToPort: 53
CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed)
- IpProtocol: "58" # all fields "incorrect"
FromPort: 110
ToPort: 110
CidrIpv6: "fd00:abcd:1234::42/0"
Negative test num. 2 - yaml file
Resources:
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-79fd7eee
InstanceType: t3.medium
SecurityGroupIds:
- !Ref Negative2SecurityGroup
KeyName: my-new-rsa-key
Negative2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for negative test cases"
VpcId: !Ref MyVPC
# IPv4 Rules
Negative2IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "icmp" # incorrect protocol
FromPort: 22
ToPort: 22
CidrIp: "10.0.0.0/0"
Negative2IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 5000 # unknown port
ToPort: 5000
CidrIp: "192.168.0.0/0"
Negative2IPv4Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp"
FromPort: 53
ToPort: 53
CidrIp: "8.8.0.0/16" # incorrect cidr (not exposed)
Negative2IPv4Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup # all fields "incorrect"
IpProtocol: "icmp"
FromPort: 5000
ToPort: 5000
CidrIp: "8.8.0.0/16"
# IPv6 Rules
Negative2IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "58" # protocol number 58 is "icmpv6" = incorrect protocol
FromPort: 22
ToPort: 22
CidrIpv6: "fd00::/0"
Negative2IPv6Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 5000 # unknown port
ToPort: 5000
CidrIpv6: "fd12:3456:789a::1/0"
Negative2IPv6Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp"
FromPort: 53
ToPort: 53
CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed)
Negative2IPv6Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup # all fields "incorrect"
IpProtocol: "58" # ICMPv6
FromPort: 5000
ToPort: 5000
CidrIpv6: "2400:cb00::/32"
Negative test num. 3 - json file
{
"Resources": {
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.medium",
"SecurityGroupIds": [
{ "Ref": "Negative1IPv4_1" },
{ "Ref": "Negative1IPv4_2" },
{ "Ref": "Negative1ArrayTestIPv4" },
{ "Ref": "Negative1IPv6_1" },
{ "Ref": "Negative1IPv6_2" },
{ "Ref": "Negative1ArrayTestIPv6" }
],
"KeyName": "my-new-rsa-key"
}
},
"Negative1IPv4_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Incorrect protocol: ICMP",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "icmp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "10.0.0.0/0"
}
]
}
},
"Negative1IPv4_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Unknown port: port 5000",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "192.168.0.0/0"
}
]
}
},
"Negative1ArrayTestIPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Mixed incorrect CIDR and 'All incorrect'",
"VpcId": { "Ref": "MyVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 53,
"ToPort": 53,
"CidrIp": "8.8.0.0/16"
},
{
"IpProtocol": "icmp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "10.68.0.0/14"
}
]
}
},
"Negative1IPv6_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Incorrect protocol: ICMPV6",
"SecurityGroupIngress": [
{
"IpProtocol": "58",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
}
]
}
},
"Negative1IPv6_2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Unknown port: port 5000",
"SecurityGroupIngress": [
{
"IpProtocol": "6",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "fd12:3456:789a::1/0"
}
]
}
},
"Negative1ArrayTestIPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Mixed incorrect CIDR and 'All incorrect'",
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 53,
"ToPort": 53,
"CidrIpv6": "2400:cb00::/32"
},
{
"IpProtocol": "58",
"FromPort": 110,
"ToPort": 110,
"CidrIpv6": "fd00:abcd:1234::42/0"
}
]
}
}
}
}
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.medium",
"SecurityGroupIds": [
{ "Ref": "Negative2SecurityGroup" }
],
"KeyName": "my-new-rsa-key"
}
},
"Negative2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for negative test cases",
"VpcId": { "Ref": "MyVPC" }
}
},
"Negative2IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "icmp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "10.0.0.0/0"
}
},
"Negative2IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "192.168.0.0/0"
}
},
"Negative2IPv4Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 53,
"ToPort": 53,
"CidrIp": "8.8.0.0/16"
}
},
"Negative2IPv4Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "icmp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "8.8.0.0/16"
}
},
"Negative2IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "58",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "fd00::/0"
}
},
"Negative2IPv6Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "fd12:3456:789a::1/0"
}
},
"Negative2IPv6Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 53,
"ToPort": 53,
"CidrIpv6": "2400:cb00::/32"
}
},
"Negative2IPv6Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "58",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "2400:cb00::/32"
}
}
}
}