DB Security Group With Public Scope
- Query id: 9564406d-e761-4e61-b8d7-5926e3ab8e79
- Query name: DB Security Group With Public Scope
- Platform: CloudFormation
- Severity: Critical
- Category: Networking and Firewall
- URL: Github
Description¶
The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
DBEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBName:
Ref: DBName
Engine: MySQL
MultiAZ:
Ref: MultiAZDatabase
MasterUsername:
Ref: DBUser
DBInstanceClass:
Ref: DBClass
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
VPCSecurityGroups:
- !GetAtt DBEC2SecurityGroup.GroupId
Positive test num. 2 - yaml file
Resources:
DBinstance2:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBSecurityGroups:
-
Ref: "DbSecurityByEC2SecurityGroup"
AllocatedStorage: "5"
DBInstanceClass: "db.t3.small"
Engine: "MySQL"
MasterUsername: "YourName"
MasterUserPassword: "YourPassword"
DeletionPolicy: "Snapshot"
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
-
CIDRIP: 0.0.0.0/0
Positive test num. 3 - yaml file
Resources:
DBEC2SecurityGroup2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: ::/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
DBInstance3:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBName:
Ref: DBName
Engine: MySQL
MultiAZ:
Ref: MultiAZDatabase
MasterUsername:
Ref: DBUser
DBInstanceClass:
Ref: DBClass
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
VPCSecurityGroups:
- !GetAtt DBEC2SecurityGroup2.GroupId
Positive test num. 4 - json file
{
"Resources": {
"DBEC2SecurityGroup": {
"Properties": {
"GroupDescription": "Open database for access",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
},
"Type": "AWS::EC2::SecurityGroup"
},
"DBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": true,
"Engine": "MySQL",
"MasterUsername": {
"Ref": "DBUser"
},
"VPCSecurityGroups": [
"DBEC2SecurityGroup.GroupId"
],
"DBName": {
"Ref": "DBName"
},
"MultiAZ": {
"Ref": "MultiAZDatabase"
},
"DBInstanceClass": {
"Ref": "DBClass"
},
"AllocatedStorage": {
"Ref": "DBAllocatedStorage"
},
"MasterUserPassword": {
"Ref": "DBPassword"
}
}
}
}
}
Positive test num. 5 - json file
{
"Resources": {
"DBinstance2": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": true,
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroup"
}
],
"AllocatedStorage": "5",
"DBInstanceClass": "db.t3.small",
"Engine": "MySQL",
"MasterUsername": "YourName",
"MasterUserPassword": "YourPassword"
},
"DeletionPolicy": "Snapshot"
},
"DbSecurityByEC2SecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"DBSecurityGroupIngress": [
{
"CIDRIP": "0.0.0.0/0"
}
]
}
}
}
}
Positive test num. 6 - json file
{
"Resources": {
"DBEC2SecurityGroup2": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"GroupDescription": "Open database for access",
"SecurityGroupIngress": [
{
"CidrIpv6": "::/0",
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80
}
]
}
},
"DBInstance3": {
"Properties": {
"Engine": "MySQL",
"AllocatedStorage": {
"Ref": "DBAllocatedStorage"
},
"MasterUserPassword": {
"Ref": "DBPassword"
},
"VPCSecurityGroups": [
"DBEC2SecurityGroup2.GroupId"
],
"PubliclyAccessible": true,
"DBName": {
"Ref": "DBName"
},
"MultiAZ": {
"Ref": "MultiAZDatabase"
},
"MasterUsername": {
"Ref": "DBUser"
},
"DBInstanceClass": {
"Ref": "DBClass"
}
},
"Type": "AWS::RDS::DBInstance"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
DBEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 1.2.3.4/24
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIpv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBName:
Ref: DBName
Engine: MySQL
MultiAZ:
Ref: MultiAZDatabase
MasterUsername:
Ref: DBUser
DBInstanceClass:
Ref: DBClass
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
VPCSecurityGroups:
- !GetAtt DBEC2SecurityGroup.GroupId
Negative test num. 2 - yaml file
Resources:
DBinstance:
Type: AWS::RDS::DBInstance
Properties:
PubliclyAccessible: true
DBSecurityGroups:
-
Ref: "DbSecurityByEC2SecurityGroup"
AllocatedStorage: "5"
DBInstanceClass: "db.t3.small"
Engine: "MySQL"
MasterUsername: "YourName"
MasterUserPassword: "YourPassword"
DeletionPolicy: "Snapshot"
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
-
CIDRIP: 1.2.3.4/24
Negative test num. 3 - json file
{
"Resources": {
"DBEC2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{
"CidrIp": "1.2.3.4/24",
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80
},
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"GroupDescription": "Open database for access"
}
},
"DBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"PubliclyAccessible": true,
"DBName": {
"Ref": "DBName"
},
"MultiAZ": {
"Ref": "MultiAZDatabase"
},
"MasterUsername": {
"Ref": "DBUser"
},
"AllocatedStorage": {
"Ref": "DBAllocatedStorage"
},
"Engine": "MySQL",
"DBInstanceClass": {
"Ref": "DBClass"
},
"MasterUserPassword": {
"Ref": "DBPassword"
},
"VPCSecurityGroups": [
"DBEC2SecurityGroup.GroupId"
]
}
}
}
}
Negative test num. 4 - json file
{
"Resources": {
"DBinstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"AllocatedStorage": "5",
"DBInstanceClass": "db.t3.small",
"Engine": "MySQL",
"MasterUsername": "YourName",
"MasterUserPassword": "YourPassword",
"PubliclyAccessible": true,
"DBSecurityGroups": [
{
"Ref": "DbSecurityByEC2SecurityGroup"
}
]
},
"DeletionPolicy": "Snapshot"
},
"DbSecurityByEC2SecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for Amazon EC2 security group",
"DBSecurityGroupIngress": [
{
"CIDRIP": "1.2.3.4/24"
}
]
}
}
}
}