ELB With Security Group Without Inbound Rules
- Query id: e200a6f3-c589-49ec-9143-7421d4a2c845
- Query name: ELB With Security Group Without Inbound Rules
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 665
- Risk score: 5.2
- URL: Github
Description¶
An AWS Elastic Load Balancer (ELB) shouldn't have security groups without inbound rules
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithoutingress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- sgwithoutingress
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithoutingress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic"
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
"sgwithoutingress"
]
}
}
}
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithingress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
sgIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref wrong_ref
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MyLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- !Ref sgwithingress
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithingress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic"
}
},
"sgIngressRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "wrong_ref"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
{
"Ref": "sgwithingress"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithingress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
- sgwithingress
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithingress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic",
"SecurityGroupIngress": [
{
"ToPort": 80,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 80
}
]
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups": [
"sgwithingress"
]
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
sgwithingress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
sgIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref sgwithingress
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MyLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SecurityGroups:
- !Ref sgwithingress
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"sgwithingress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic"
}
},
"sgIngressRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgwithingress"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
{
"Ref": "sgwithingress"
}
]
}
}
}
}