DB Security Group Has Public Interface

Query id: dd667399-8d9d-4a8d-bbb4-e49ab53b2f52
Query name: DB Security Group Has Public Interface
Platform: Crossplane
Severity: High
Category: Insecure Configurations
URL: Github

Description¶

The CIDR IP should not be a public interface
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: SecurityGroup
metadata:
  name: ec2-rule2
spec:
  forProvider:
    region: us-east-1
    vpcIdSelector:
      matchControllerRef: true
    groupName: crossplane-getting-started
    description: Allow access to PostgreSQL
    ingress:
      - fromPort: 5432
        toPort: 5432
        ipProtocol: tcp
        ipRanges:
          - cidrIp: 0.0.0.0/0
            description: Everywhere
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: ec2.aws.crossplane.io/v1beta1
        kind: SecurityGroup
        metadata:
          name: ec2-rule5
        spec:
          forProvider:
            region: us-east-1
            vpcIdSelector:
              matchControllerRef: true
            groupName: crossplane-getting-started
            description: Allow access to PostgreSQL
            ingress:
              - fromPort: 5432
                toPort: 5432
                ipProtocol: tcp
                ipRanges:
                  - cidrIp: 0.0.0.0/0
                    description: Everywhere

Code samples without security vulnerabilities¶

Negative test num. 1 - yaml file

apiVersion: ec2.aws.crossplane.io/v1beta1
kind: SecurityGroup
metadata:
  name: ec2-rule1
spec:
  forProvider:
    region: us-east-1
    vpcIdSelector:
      matchControllerRef: true
    groupName: crossplane-getting-started
    description: Allow access to PostgreSQL
    ingress:
      - fromPort: 5432
        toPort: 5432
        ipProtocol: tcp
        ipRanges:
          - cidrIp: 10.0.0.0/8
            description: sample
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: ec2.aws.crossplane.io/v1beta1
        kind: SecurityGroup
        metadata:
          name: ec2-rule
        spec:
          forProvider:
            region: us-east-1
            vpcIdSelector:
              matchControllerRef: true
            groupName: crossplane-getting-started
            description: Allow access to PostgreSQL
            ingress:
              - fromPort: 5432
                toPort: 5432
                ipProtocol: tcp
                ipRanges:
                  - cidrIp: 10.0.0.0/8
                    description: sample