Unrestricted Security Group Ingress
- Query id: 4728cd65-a20c-49da-8b31-9c08b423e4db
- Query name: Unrestricted Security Group Ingress
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- Risk score: 7.2
- URL: Github
Description¶
Security groups allow ingress from 0.0.0.0:0 and/or ::/0
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_security_group" "positive1-ipv4" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.default.id
}
}
resource "aws_security_group" "positive1-ipv6" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.default.id
}
}
resource "aws_security_group" "positive1-ipv4_array" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["1.0.0.0/0"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "positive1-ipv6_array" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/8"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
}
Positive test num. 2 - tf file
resource "aws_vpc_security_group_ingress_rule" "positive2-ipv4" {
security_group_id = aws_security_group.default.id
from_port = 3306
to_port = 3306
ip_protocol = "tcp"
cidr_ipv4 = "0.0.0.0/0"
description = "Allow MySQL from anywhere"
}
resource "aws_vpc_security_group_ingress_rule" "positive2-ipv6_1" {
security_group_id = aws_security_group.default.id
from_port = 3306
to_port = 3306
ip_protocol = "tcp"
cidr_ipv6 = "::/0"
description = "Allow MySQL from anywhere over IPv6"
}
resource "aws_vpc_security_group_ingress_rule" "positive2-ipv6_2" {
security_group_id = aws_security_group.default.id
from_port = 3306
to_port = 3306
ip_protocol = "tcp"
cidr_ipv6 = "0000:0000:0000:0000:0000:0000:0000:0000/0"
description = "Allow MySQL from anywhere over IPv6"
}
Positive test num. 3 - tf file
resource "aws_security_group_rule" "positive3-ipv4" {
type = "ingress"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "positive3-ipv6_1" {
type = "ingress"
from_port = 3306
to_port = 3306
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "positive3-ipv6_2" {
type = "ingress"
from_port = 3306
to_port = 3306
protocol = "tcp"
ipv6_cidr_blocks = ["0:0:0:0:0:0:0:0/0"]
security_group_id = aws_security_group.default.id
}
Positive test num. 4 - tf file
module "positive4-ipv4" {
source = "terraform-aws-modules/security-group/aws"
ingress_cidr_blocks = ["0.0.0.0/0"]
}
module "positive4-ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
ingress_cidr_blocks = ["10.10.0.0/16", "0.0.0.0/0"]
}
module "positive4-ipv6" {
source = "terraform-aws-modules/security-group/aws"
ingress_ipv6_cidr_blocks = ["::/0"]
}
module "positive4-ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
ingress_ipv6_cidr_blocks = ["fc00::/8", "::/0"]
}
module "positive4-whole_ingresses" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
description = "Allow HTTP from anywhere"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
},
{
description = "Allow HTTP from internal network"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.10.0.0/16"]
},
{
description = "Allow HTTP from internal network"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.10.0.0/16","0.0.0.0/0"]
}
]
ingress_with_ipv6_cidr_blocks = [
{
description = "Allow HTTP from all IPv6 addresses"
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
},
{
description = "Allow HTTP from internal IPv6 range"
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/8"]
},
{
description = "Allow HTTP from internal IPv6 range"
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/8","::/0"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_security_group" "negative1-ipv4" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.2.0/0"]
security_group_id = aws_security_group.default.id
}
}
resource "aws_security_group" "negative1-ipv6" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/8"]
security_group_id = aws_security_group.default.id
}
}
resource "aws_security_group" "negative1-ipv4_array" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["1.0.0.0/0"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.1.0/0"]
}
}
resource "aws_security_group" "negative1-ipv6_array" {
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/9"]
}
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/8"]
}
}
Negative test num. 2 - tf file
resource "aws_vpc_security_group_ingress_rule" "negative2-ipv4" {
security_group_id = aws_security_group.default.id
from_port = 3306
to_port = 3306
ip_protocol = "tcp"
cidr_ipv4 = "0.0.2.0/0"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-ipv6" {
security_group_id = aws_security_group.default.id
from_port = 3306
to_port = 3306
ip_protocol = "tcp"
cidr_ipv6 = "fc00::/8"
}
Negative test num. 3 - tf file
resource "aws_security_group_rule" "negative3-ipv4" {
type = "ingress"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.2.0/0"]
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "negative3-ipv6" {
type = "ingress"
from_port = 3306
to_port = 3306
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/8"]
security_group_id = aws_security_group.default.id
}
Negative test num. 4 - tf file
module "negative4-ipv4" {
source = "terraform-aws-modules/security-group/aws"
ingress_cidr_blocks = ["10.10.0.0/16"]
}
module "negative4-ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
ingress_cidr_blocks = ["10.10.2.0/16", "192.12.0.1/20"]
}
module "negative4-ipv6" {
source = "terraform-aws-modules/security-group/aws"
ingress_ipv6_cidr_blocks = ["fc00::/8"]
}
module "negative4-ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
ingress_ipv6_cidr_blocks = ["fc00::/8", "fd00::/12"]
}
module "negative4-whole_ingresses" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
description = "Allow HTTP from internal IPv4 network"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.10.0.0/16"]
},
{
description = "Allow HTTP from internal IPv4 network"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.10.2.0/16", "192.12.0.1/20"]
}
]
ingress_with_ipv6_cidr_blocks = [
{
description = "Allow HTTP from internal IPv6 network"
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/8"]
},
{
description = "Allow HTTP from internal IPv6 network"
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/8", "fd00::/12"]
}
]
}